Fix #1174 Add OIDC, Encryption documentation for NextStep (#1745)

Fix #1174 Add OIDC, Encryption documentation for NextStep (cherry picked from commit 792d909)
wultra · Dec 9, 2024 · b77d0e3 · b77d0e3
1 parent 3e3391b
commit b77d0e3
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 17 deletions.
diff --git a/docs/Next-Step-Server.md b/docs/Next-Step-Server.md
@@ -18,7 +18,7 @@ Next Step Server implements following functionality:
   - create an authentication method
   - listing available authentication methods both general and user-specific
   - enabling/disabling authentication methods per user including their configuration (configuration is required for the [Mobile Token](./Mobile-Token-Configuration.md))
-  - get a list of authentication methods currently enabled for the user  
+  - get a list of authentication methods currently enabled for the user
   - delete an authentication method
 - management of operations
   - create a new operation
@@ -34,8 +34,8 @@ Next Step Server implements following functionality:
   - retrieve mobile token configuration
   - get and update detailed authentication method and operation configuration
   - authentication method downgrade for the next step
-  - enable PowerAuth token for the next step   
-  - integration with PowerAuth operations   
+  - enable PowerAuth token for the next step
+  - integration with PowerAuth operations
   - store result of an AFS action
 - management of organizations
   - create an organization
@@ -52,7 +52,7 @@ Next Step Server implements following functionality:
   - obtaining user authentication history
   - update status of multiple user identities
   - lookup of user identities
-- management of Next Step applications  
+- management of Next Step applications
 - management of credential policies
 - management of OTP policies
 - management of credential definitions
@@ -68,16 +68,3 @@ Next Step Server implements following functionality:
 REST services are available for all Next Step functionality listed above.
 
 The Next Step Server functionality is described in details in [Next Step Server REST API Reference](./Next-Step-Server-REST-API-Reference.md).
-
-
-## OpenID Connect (OIDC)
-
-You may configure OpenID Connect (OIDC) authentication.
-
-| Property                                                | Default value | Description                                                                           |
-|---------------------------------------------------------|---------------|---------------------------------------------------------------------------------------|
-| `powerauth.nextstep.security.auth.type`                 |               | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured. |
-| `spring.security.oauth2.resource-server.jwt.issuer-uri` |               | URL of the provider, e.g. `https://sts.windows.net/example/`                          |
-| `spring.security.oauth2.resource-server.jwt.audiences`  |               | A comma-separated list of allowed `aud` JWT claim values to be validated.             |
-
-See the [Spring Security documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client-log-users-in) and [OpenID Connect UserInfo endpoint](https://connect2id.com/products/server/docs/api/userinfo) for details. 
diff --git a/docs/Web-Flow-Configuration.md b/docs/Web-Flow-Configuration.md
@@ -243,7 +243,16 @@ springdoc.default-produces-media-type=application/json
 
 # Set the Spring application name
 spring.application.name=powerauth-nextstep
+
+# OIDC configuration
+powerauth.nextstep.security.auth.type=OIDC
+# URL of the provider, e.g. `https://sts.windows.net/example/`
+spring.security.oauth2.resource-server.jwt.issuer-uri=
+# A comma-separated list of allowed `aud` JWT claim values to be validated.
+spring.security.oauth2.resource-server.jwt.audiences=
 ```
+See the [Spring Security documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client-log-users-in) and [OpenID Connect UserInfo endpoint](https://connect2id.com/products/server/docs/api/userinfo) for details.
+
 
 Encryption of user passwords during transport (end-to-end encryption) can be configured using following property:
 ```properties
@@ -267,6 +276,18 @@ String encryptionKey = Base64.getEncoder().encodeToString(randomBytes);
 Do not use the same key for end-to-encryption and database record encryption. Store the keys securely, ideally using a vault mechanism._
 <!-- end -->
 
+### Docker Environment Setup
+For docker image configuration, the following environment variables can be used :
+
+| Environment Variable                     | Default value | Description                                                                                  |
+|------------------------------------------|---------------|----------------------------------------------------------------------------------------------|
+| `NEXTSTEP_MASTER_DB_ENCRYPTION_KEY`      |               | [16 random bytes Base64 encoded, for example 'MTIzNDU2Nzg5MDEyMzQ1Ng==']                     |
+| `NEXTSTEP_E2E_ENCRYPTION_KEY`            |               | [32 random bytes Base64 encoded, for example 'SkJNSkp5eTZMRHk5N0RDSGRacEhhZlp0NnpValdOVksK'] |
+| `NEXTSTEP_AUTH_TYPE`                     | NONE          | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured.        |
+| `NEXTSTEP_SECURITY_AUTH_OIDC_ISSUER_URI` |               | URL of the provider, e.g. `https://sts.windows.net/example/`                                 |
+| `NEXTSTEP_SECURITY_AUTH_OIDC_AUDIENCES`  |               | A comma-separated list of allowed `aud` JWT claim values to be validated.                    |
+
+
 ## Data Adapter
 At minimum the following configuration properties should be updated based on deployment:
 - `powerauth.authorization.sms-otp.expiration-time-in-second` - SMS OTP operation expiration time in seconds