Skip to content

Stage 4 — Start MongoDB and ianode-access

How to complete this stage

Start MongoDB and the ianode-access service so user attributes can be resolved and served to the IA node during authenticated requests.

Approach and rationale

The IA node enforces access control using user attributes. These attributes are stored and served by ianode-access, which relies on MongoDB for persistence. This stage brings up the supporting services required for attribute resolution before the IA node itself is started. Open a new terminal for this stage and leave the services running.

4.1 Start MongoDB

MongoDB stores user and group information required by the access service. From the ianode-access repository root:

cd ~/src/ianode-access
docker compose up mongo -d

Checkpoint

MongoDB is running and available to the access service.

4.2 Load the environment configuration

The access service relies on environment variables to:

  • Locate the identity provider
  • Interpret authentication tokens
  • Expose user attributes correctly

The repository provides environment configuration through the following scripts:

  • dev_env.sh
  • token_env.sh

Source these scripts:

source ./dev_env.sh
source ./token_env.sh
Operational note

If you open a new terminal later, you must source these scripts again, as environment variables are not shared between terminals.

4.3 Configure the access service environment

Before starting the access service, set the environment variables it uses to interpret authentication tokens and expose user attributes.

Use localhost for the identity provider URL.
Do not use 0.0.0.0, as this can cause token decoding failures.

Set the following variables:

export SCIM_ENABLED=true
export GROUPS_KEY="cognito:groups"
export DEPLOYED_DOMAIN="http://localhost:3000"
export OPENID_PROVIDER_URL="http://localhost:9229/${USER_POOL_ID}"
export CLIENT_ID="${CLIENT_ID}"

These settings control the following:

  • SCIM_ENABLED ensures the service uses Cognito Local rather than a cloud identity provider.
  • GROUPS_KEY tells the service where to read group membership from the token.
  • DEPLOYED_DOMAIN defines the expected domain for token validation.
  • OPENID_PROVIDER_URL points to the identity provider that issues tokens.
  • CLIENT_ID identifies the application requesting tokens.

Exporting the variables ensures that they can be used by child processes.

4.4 Install dependencies and start the access service

Install the service dependencies and start the access service so it can begin responding to requests for user attributes.

yarn install
yarn dev

Leave this process running.

Operational notes
  • If corepack enable fails due to permissions, ensure Yarn is installed and available by running:
yarn --version
  • If you change any of the environment variables set in this stage, stop the service (Ctrl+C) and restart:
yarn dev
  • The /whoami endpoint expects an Authorization header. Calling it without a bearer token may cause the service to crash.

4.5 Checkpoint

At the end of this stage:

  • MongoDB is running.
  • The ianode-access service is running.
  • The /whoami endpoint responds when called with a valid token.

If the access service is not running or cannot resolve attributes, later IA node stages will fail.

Do not proceed until this checkpoint passes.

Next Steps

Build IA Node Components