Skip to content

Commit

Permalink
Fix #1174 Add OIDC, Encryption documentation for NextStep (#1745)
Browse files Browse the repository at this point in the history
Fix #1174 Add OIDC, Encryption documentation for NextStep
  • Loading branch information
korbelm authored Dec 9, 2024
1 parent 5fb04f1 commit 792d909
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 17 deletions.
21 changes: 4 additions & 17 deletions docs/Next-Step-Server.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Next Step Server implements following functionality:
- create an authentication method
- listing available authentication methods both general and user-specific
- enabling/disabling authentication methods per user including their configuration (configuration is required for the [Mobile Token](./Mobile-Token-Configuration.md))
- get a list of authentication methods currently enabled for the user
- get a list of authentication methods currently enabled for the user
- delete an authentication method
- management of operations
- create a new operation
Expand All @@ -34,8 +34,8 @@ Next Step Server implements following functionality:
- retrieve mobile token configuration
- get and update detailed authentication method and operation configuration
- authentication method downgrade for the next step
- enable PowerAuth token for the next step
- integration with PowerAuth operations
- enable PowerAuth token for the next step
- integration with PowerAuth operations
- store result of an AFS action
- management of organizations
- create an organization
Expand All @@ -52,7 +52,7 @@ Next Step Server implements following functionality:
- obtaining user authentication history
- update status of multiple user identities
- lookup of user identities
- management of Next Step applications
- management of Next Step applications
- management of credential policies
- management of OTP policies
- management of credential definitions
Expand All @@ -68,16 +68,3 @@ Next Step Server implements following functionality:
REST services are available for all Next Step functionality listed above.

The Next Step Server functionality is described in details in [Next Step Server REST API Reference](./Next-Step-Server-REST-API-Reference.md).


## OpenID Connect (OIDC)

You may configure OpenID Connect (OIDC) authentication.

| Property | Default value | Description |
|---------------------------------------------------------|---------------|---------------------------------------------------------------------------------------|
| `powerauth.nextstep.security.auth.type` | | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured. |
| `spring.security.oauth2.resource-server.jwt.issuer-uri` | | URL of the provider, e.g. `https://sts.windows.net/example/` |
| `spring.security.oauth2.resource-server.jwt.audiences` | | A comma-separated list of allowed `aud` JWT claim values to be validated. |

See the [Spring Security documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client-log-users-in) and [OpenID Connect UserInfo endpoint](https://connect2id.com/products/server/docs/api/userinfo) for details.
21 changes: 21 additions & 0 deletions docs/Web-Flow-Configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -243,7 +243,16 @@ springdoc.default-produces-media-type=application/json

# Set the Spring application name
spring.application.name=powerauth-nextstep

# OIDC configuration
powerauth.nextstep.security.auth.type=OIDC
# URL of the provider, e.g. `https://sts.windows.net/example/`
spring.security.oauth2.resource-server.jwt.issuer-uri=
# A comma-separated list of allowed `aud` JWT claim values to be validated.
spring.security.oauth2.resource-server.jwt.audiences=
```
See the [Spring Security documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client-log-users-in) and [OpenID Connect UserInfo endpoint](https://connect2id.com/products/server/docs/api/userinfo) for details.


Encryption of user passwords during transport (end-to-end encryption) can be configured using following property:
```properties
Expand All @@ -267,6 +276,18 @@ String encryptionKey = Base64.getEncoder().encodeToString(randomBytes);
Do not use the same key for end-to-encryption and database record encryption. Store the keys securely, ideally using a vault mechanism._
<!-- end -->

### Docker Environment Setup
For docker image configuration, the following environment variables can be used :

| Environment Variable | Default value | Description |
|------------------------------------------|---------------|----------------------------------------------------------------------------------------------|
| `NEXTSTEP_MASTER_DB_ENCRYPTION_KEY` | | [16 random bytes Base64 encoded, for example 'MTIzNDU2Nzg5MDEyMzQ1Ng=='] |
| `NEXTSTEP_E2E_ENCRYPTION_KEY` | | [32 random bytes Base64 encoded, for example 'SkJNSkp5eTZMRHk5N0RDSGRacEhhZlp0NnpValdOVksK'] |
| `NEXTSTEP_AUTH_TYPE` | NONE | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured. |
| `NEXTSTEP_SECURITY_AUTH_OIDC_ISSUER_URI` | | URL of the provider, e.g. `https://sts.windows.net/example/` |
| `NEXTSTEP_SECURITY_AUTH_OIDC_AUDIENCES` | | A comma-separated list of allowed `aud` JWT claim values to be validated. |


## Data Adapter
At minimum the following configuration properties should be updated based on deployment:
- `powerauth.authorization.sms-otp.expiration-time-in-second` - SMS OTP operation expiration time in seconds
Expand Down

0 comments on commit 792d909

Please sign in to comment.