Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #1174 Add OIDC, Encryption documentation for NextStep #1745

Merged
merged 2 commits into from
Dec 9, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 4 additions & 17 deletions docs/Next-Step-Server.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Next Step Server implements following functionality:
- create an authentication method
- listing available authentication methods both general and user-specific
- enabling/disabling authentication methods per user including their configuration (configuration is required for the [Mobile Token](./Mobile-Token-Configuration.md))
- get a list of authentication methods currently enabled for the user
- get a list of authentication methods currently enabled for the user
- delete an authentication method
- management of operations
- create a new operation
Expand All @@ -34,8 +34,8 @@ Next Step Server implements following functionality:
- retrieve mobile token configuration
- get and update detailed authentication method and operation configuration
- authentication method downgrade for the next step
- enable PowerAuth token for the next step
- integration with PowerAuth operations
- enable PowerAuth token for the next step
- integration with PowerAuth operations
- store result of an AFS action
- management of organizations
- create an organization
Expand All @@ -52,7 +52,7 @@ Next Step Server implements following functionality:
- obtaining user authentication history
- update status of multiple user identities
- lookup of user identities
- management of Next Step applications
- management of Next Step applications
- management of credential policies
- management of OTP policies
- management of credential definitions
Expand All @@ -68,16 +68,3 @@ Next Step Server implements following functionality:
REST services are available for all Next Step functionality listed above.

The Next Step Server functionality is described in details in [Next Step Server REST API Reference](./Next-Step-Server-REST-API-Reference.md).


## OpenID Connect (OIDC)

You may configure OpenID Connect (OIDC) authentication.

| Property | Default value | Description |
|---------------------------------------------------------|---------------|---------------------------------------------------------------------------------------|
| `powerauth.nextstep.security.auth.type` | | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured. |
| `spring.security.oauth2.resource-server.jwt.issuer-uri` | | URL of the provider, e.g. `https://sts.windows.net/example/` |
| `spring.security.oauth2.resource-server.jwt.audiences` | | A comma-separated list of allowed `aud` JWT claim values to be validated. |

See the [Spring Security documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client-log-users-in) and [OpenID Connect UserInfo endpoint](https://connect2id.com/products/server/docs/api/userinfo) for details.
20 changes: 20 additions & 0 deletions docs/Web-Flow-Configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -243,7 +243,16 @@ springdoc.default-produces-media-type=application/json

# Set the Spring application name
spring.application.name=powerauth-nextstep

# OIDC configuration
powerauth.nextstep.security.auth.type=OIDC
# URL of the provider, e.g. `https://sts.windows.net/example/`
spring.security.oauth2.resource-server.jwt.issuer-uri=
# A comma-separated list of allowed `aud` JWT claim values to be validated.
spring.security.oauth2.resource-server.jwt.audiences=
```
See the [Spring Security documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client-log-users-in) and [OpenID Connect UserInfo endpoint](https://connect2id.com/products/server/docs/api/userinfo) for details.


Encryption of user passwords during transport (end-to-end encryption) can be configured using following property:
```properties
Expand All @@ -267,6 +276,17 @@ String encryptionKey = Base64.getEncoder().encodeToString(randomBytes);
Do not use the same key for end-to-encryption and database record encryption. Store the keys securely, ideally using a vault mechanism._
<!-- end -->

### In case of using docker image, following environment variables can be used
korbelm marked this conversation as resolved.
Show resolved Hide resolved

| Environment Variable | Default value | Description |
|------------------------------------------|---------------|----------------------------------------------------------------------------------------------|
| `NEXTSTEP_MASTER_DB_ENCRYPTION_KEY` | | [16 random bytes Base64 encoded, for example 'MTIzNDU2Nzg5MDEyMzQ1Ng=='] |
| `NEXTSTEP_E2E_ENCRYPTION_KEY` | | [32 random bytes Base64 encoded, for example 'SkJNSkp5eTZMRHk5N0RDSGRacEhhZlp0NnpValdOVksK'] |
| `NEXTSTEP_AUTH_TYPE` | NONE | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured. |
| `NEXTSTEP_SECURITY_AUTH_OIDC_ISSUER_URI` | | URL of the provider, e.g. `https://sts.windows.net/example/` |
| `NEXTSTEP_SECURITY_AUTH_OIDC_AUDIENCES` | | A comma-separated list of allowed `aud` JWT claim values to be validated. |


## Data Adapter
At minimum the following configuration properties should be updated based on deployment:
- `powerauth.authorization.sms-otp.expiration-time-in-second` - SMS OTP operation expiration time in seconds
Expand Down
Loading