Skip to main content

Deploying the Authorization Server

caution

Please ensure that you have Helm installed correctly before proceeding with the steps outlined below. Refer to Installing Helm for details.

FPX is packaged as a Helm chart. There are two ways to gain access to the chart, either directly via the chart source code, or by adding the remote repository:

$ helm repo add identos https://charts.dev.identos.ca

It should then show up with the command:

$ helm repo list

Finally, to install the Helm chart, run the following command:

$ helm upgrade --install fpx identos/fpxcore -f configuration.yaml --version v2.1.4

During the installation, the components network will be deployed. Installation is complete when you run the following command and all deployments are ready, up-to-date and available (the numbers may differ based on the configuration applied):

$ kubectl get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
fpx-authapi 1/1 1 1 2m6s
fpx-authserver 1/1 1 1 2m6s

Assuming that ingress objects were enabled as part of the installation, the deployed HTTP endpoints can be shown:

$ kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
fpx-authapi authapi.example.com 80, 443 6m6s
fpx-authserver idnserver.example.com 80, 443 6m6s

Configuration

Configuration for a Helm chart is provided as a YAML formatted file. The following table lists the configuration parameters, a description and their default values.

note

The first half of the table defines configuration parameters for the Authorization Server and the second half focuses on the parameters for Authorization Server API.

ParameterDescriptionDefault
authorizationServer.enabledIf an Authorization Server should be deployed.true
authorizationServer.replicaCountNumber of replicas to deploy of the Authorization Server, set to a number > 1 for redundancy purposes.1
authorizationServer.image.credentialsName of the secret within the deploy namespace that contains the credentials for the container image.identos
authorizationServer.image.repositoryThe repository URL for the container image.null
authorizationServer.image.tagThe specific tag/version of the docker image.null
authorizationServer.image.pullPolicyPod container pullPolicy setting, see https://kubernetes.io/docs/concepts/containers/images/ for details.Always
authorizationServer.ingress.enabledBoolean value enabling or disabling the creation of an ingress record.false
authorizationServer.ingress.annotationsAny custom annotations for this ingress record.{}
authorizationServer.ingress.hostHostname with which an ingress record can be configured.null
authorizationServer.application.configFull application configuration for the FPX Authorization Server. Click here for details.""
authorizationServer.application.enableHTTPSSetting this value to 'true' will enable full end-to-end TLS encryption to application container.true
authorizationServer.application.portTCP Port that application will be listening on.8080
authorizationServer.extraEnvExtra environment variables to inject into container.{}
authorizationServer.nodeSelectorNode selector rules.{}
authorizationServer.tolerationsAny node taints to tolerate.{}
authorizationServer.affinityAny resource affinities for node selection.{}
authorizationServer.refreshUseful parameter to force application to restart when new configurations are applied.1
authorizationServer.deployment.annotationsThis will discover deploymentconfigs/deployments/daemonsets/statefulset/rollouts automatically.null
authorizationServer.ingress.tls.hostsHostname of the environment.null
authorizationServer.keystores.https.aliasThe alias (or name) under which the key is stored in the keystore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details.null
authorizationServer.keystores.https.enabledEnable HTTPS.true
authorizationServer.keystores.https.jwksThe key itself as a md5 encoded PKCS12 KeyStore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details.null
authorizationServer.keystores.https.passwordThe password of the keystore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details.null
authorizationServer.keystores.signingKey.enableKey used for signing/verifying.null
authorizationServer.suffixSuffix value for the Auth API application.null
Authorization Server API Values
ParameterDescriptionDefault
authorizationApi.enabledIf an Authorization Server should be deployed.true
authorizationApi.replicaCountNumber of replicas to deploy of the Authorization Server, set to a number > 1 for redundancy purposes.1
authorizationApi.image.credentialsName of the secret within the deploy namespace that contains the credentials for the container image.identos
authorizationApi.image.repositoryThe repository URL for the container image.null
authorizationApi.image.tagThe specific tag/version of the docker image.null
authorizationApi.image.pullPolicyPod container pullPolicy setting, see https://kubernetes.io/docs/concepts/containers/images/ for details.Always
authorizationApi.ingress.enabledBoolean value enabling or disabling the creation of an ingress record.false
authorizationApi.ingress.annotationsAny custom annotations for this ingress record.{}
authorizationApi.ingress.hostHostname to configure the ingress record with.null
authorizationApi.application.configFull application configuration for the FPX Authorization Server. Click here for details""
authorizationApi.application.enableHTTPSFull end-to-end TLS encryption to application container.true
authorizationApi.application.portTCP Port that application will be listening on.8080
authorizationApi.extraEnvExtra environment variables to inject into container.{}
authorizationApi.nodeSelectorNode selector rules.{}
authorizationApi.tolerationsAny node taints to tolerate.{}
authorizationApi.affinityAny resource affinities for node selection.{}
authorizationApi.refreshUseful parameter to force application to restart when new configurations are applied.1
authorizationApi.ingress.tls.hostsHostname of the environment.null
authorizationApi.ingress.tls.secretNameRefers to the SSL certificates required for HTTPS.null
authorizationApi.keystores.https.aliasThe alias (or name) under which the key is stored in the keystore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details.null
authorizationApi.keystores.https.enabledEnable HTTPS.true
authorizationApi.keystores.https.jwksThe key itself as a md5 encoded PKCS12 KeyStore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details.null
authorizationApi.keystores.https.passwordThe password of the keystore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details.null
authorizationApi.keystores.signingKey.enableKey used for signing/verifying.null
authorizationApi.suffixSuffix value for the Authorization Server API.null
authorizationApi.deployment.annotationsAllows you to add custom annotations to the deployment object.null

Keystore Creation and Configuration

The Authorization Server deployment configuration YAML consists of several parameters that address keystore values. The keystore is used to store the custom signing encryption keys for the Authorization Server and the Authorization Server API. The parameters used to define keystore related values are:

  • authorizationServer.keystores.https.alias
  • authorizationServer.keystores.https.enabled
  • authorizationServer.keystores.https.jwks
  • authorizationServer.keystores.https.password
  • authorizationServer.keystores.signingKey.enable
  • authorizationApi.keystores.https.alias
  • authorizationApi.keystores.https.enabled
  • authorizationApi.keystores.https.jwks
  • authorizationApi.keystores.https.password
  • authorizationApi.keystores.signingKey.enable

In order to populate the alias, JWKS key and password parameters, the following steps need to be executed: 1) Generate a keystore and alias key 2) Apply base64 encoding for the alias name, password and JWKS key. 3) Update these base64 encoded values into the YAML config file.

To generate the key and the keystore, run the following command:

keytool -genkey -v -keystore AS.jks -alias <custom_alias> -keyalg RSA -sigalg SHA256withRSA -keysize 2048  -ext KeyUsage=keyCertSign -validity 10000
IMPORTANT

IMPORTANT: The Keystore alias defined should always be in lower case. The alias can be of alpha-numeric characters only.

To apply the base64 encoding for the alias name, password and JWKS key, run the following commands:

  • echo <alias name> | base64
  • echo <password> | base64
  • echo <JWKS Key> | base64

These commands will return the values in the base64 encoded format. Enter the encoded values in the configuration parameters listed above.

note

For production environments, it is recommended that individual keystores and key values exist for the Authorization Server and the Authorization Server API parameters.

authorizationServer.application.config

The authorizationServer.application.config parameter contains multiple sub-parameters that are essential for the proper configuration and set up of the Authorization Server. Below is a sample code block illustrating the common values defined in authorizationServer.application.config followed by tables (segregated by function) that provide details and descriptions for each sub-parameter.

server.port: 8080
server.tomcat.remote_ip_header: x-forwarded-for
server.tomcat.protocol_header: x-forwarded-proto
server.error.whitelabel.enabled: false

jwt:
keystore:
signerAlg: RS256

i18n:
defaultLang: en
allLanguages: fr, en, es
basename: classpath:./i18n/messages
cacheEvictFixedRateString: PT8H

logging:
level:
com.identos.idn: DEBUG
org.hibernate.SQL: DEBUG
org.hibernate.type: TRACE
location: ../logs

spring:
thymeleaf:
prefix: classpath:./templates/
web:
resources:
static-locations: classpath:./static/
jackson:
serialization.fail-on-empty-beans: false
mapper.default-view-inclusion: true
main:
allow-bean-definition-overriding: true
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://fpx-staging-fpx-mysql.fpx-staging.svc.cluster.local/authserver?useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC
username: root
password: password
jpa:
open-in-view: false
hibernate:
dialect: org.hibernate.dialect.MySQL5InnoDBDialect
show_sql: false
generate_ddl: true
ddl-auto: validate
naming.physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
flyway:
locations: classpath:db/migration,classpath:db/development


as-server-domain: https://authserver.fpx-staging.dev.identos.ca


uma:
wellknown:
issuer: ${as-server-domain}


oauth2-config:
client:
callback_endpoint: /oauth2/callback
provider:
issuer: ${as-server-domain}
register_endpoint: /oauth2/register
authorize_endpoint: /oauth2/authorize
token_endpoint: /oauth2/token
jwks_endpoint: /jwks
configuration_endpoint: /.well-known/openid-configuration
account_endpoint: /account
web_authn_endpoint: /authenticate
introspection_endpoint: /oauth2/introspect
userinfo_endpoint: /api/userinfo
fetch_and_attach_userinfo: true
consent_endpoint: /discover/consent
consent_view_page: oidc_authorize
custom_grant_types:
- test
- anotherone


oidc-config:
client:
clientDomain: ${as-server-domain}
responseType: id_token
scope: "openid"
callback_endpoint: ${oauth2-config.client.callback_endpoint}


uma-config:
issuer: ${as-server-domain}
registrationEndpoint: ${oauth2-config.provider.register_endpoint}
configurationEndpoint: /.well-known/uma2-configuration
jwksEndpoint: /jwks
tokenEndpoint: /transaction/token
introspectionEndpoint: ${oauth2-config.provider.introspection_endpoint}
claimsGatheringEndpoint: /transaction/claims-gathering
revocationEndpoint: /transaction/revocation
capabilityEndpoint: /transaction/capability
permissionEndpoint: /transaction/permission
grantTypesSupported:
- client_credentials
- urn:ietf:params:oauth:grant-type:uma-ticket
- refresh_token
authzEndpoint: ${oauth2-config.provider.authorize_endpoint}
callbackEndpoint: ${oauth2-config.client.callback_endpoint}
permissionUpdateEndpoint: /permission
permissionAccessTokenEndpoint: ${uma-config.permissionUpdateEndpoint}/token


smart-config:
enabled: true
implicitFlowEnabled: false
issuer: ${as-server-domain}
registration_endpoint: ${oauth2-config.provider.register_endpoint}
authorization_endpoint: ${uma-config.authzEndpoint}
wellknown:
basePath: /oauth2/.well-known
configuration_endpoint: /openid-configuration
jwks_endpoint: /jwks
token_endpoint: ${uma-config.tokenEndpoint}
introspection_endpoint: ${uma-config.introspectionEndpoint}
launch:
resourceTypePattern: ((http|https)://){0,1}(www.){0,1}hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html
resourceTypeURL: http://hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html
resourceDefinitionTypePattern: https://www.hl7.org/fhir/[RESOURCE_TYPE].html


# FPX specific configuration + configuration shared between multiple protocols

fpx-config:
versionEndpoint: /.well-known/fpx/version
wallet:
walletSelectPage: /select-wallet
walletSelectSubmitEndpoint: /submit-broker
rememberWalletFeatureEnabled: false
registry:
basePath: /registry
clients:
walletEndpoint: /wallet
umaClientEndpoint: /client
rsEndpoint: /resource-server
idpEndpoint: /identity-provider
resources:
resourceEndpoint: /resource
resourceDefinitionEndpoint: ${fpx-config.registry.resources.resourceEndpoint}/resource_definition
ticketEndpoint: /ticket
resources:
select-wallet:
css: style.css
logo: logo


fpx:
oidc:
client:
stateSessionKey: fpx-csrf-key
ignoreCsrfCheck: false
pkce:
enforced: false
provider:
self-hosted:
enabled: true
federated:
enabled: false
federated_issuer: https://keycloak.dev.identos.ca/auth/realms/identos-qa
uma:
enabled: true
JWT-token:
enabled: true
jwt:
defaultKeyId: rsa1
pkce:
enforced: false
security:
authority:
introspection: uma_protection


default:
expiry-duration-params:
resourceDefinitionExpirySeconds: 1800000
accessTokenLifetimeSeconds: 300
refreshTokenLifetimeSeconds: 1800000
accountSessionTokenLifetimeInSeconds: 3600000000
agentOidcRequestLifetimeInSeconds : 25920000
patAccessTokenLifetimeInSeconds: 5000
length-params:
permissionTokenLength: 16
capabilityLength: 20
accountSessionTokenLength: 24
umaRequestIdLength: 24


app:
name: Identos
image_directory: /images/
logo:
name: identos.png

Global Server Parameters

Configuration directives that are used for overall application configuration.

ParameterDescriptionSuggested ValueRequired
server.portApplication port to listen for client connections on.8080Yes
server.tomcat.remote_ip_headerHeader to use as remote IP address for client connections.x-forwarded-forNo
server.tomcat.protocol_headerHeader to use as remote protocol for client connections.x-forwarded-protoNo
server.error.whitelabel.enabledWhether the server will display a generic error pagefalseNo
jwt.keystore.signerAlgThe algorithm to use when signing JWTsRS256Yes

Localization Settings

Configuration directives for localization support.

ParameterDescriptionSuggested ValueRequired
i18n.defaultLangDefault language used for localization.enYes
i18n.allLanguagesComma separated list of language strings to support localization for i.e. "en, fr".enYes
i18n.basenameLocation for localization strings to use in static template files.classpath:./i18n/messagesYes
i18n.cacheEvictFixedRateString:Defines the frequency for cached localized string (locale,key) to be evicted and re-located from a source.PT8HNo

Logging

ParameterDescriptionSuggested ValueRequired
loggingSee https://docs.spring.io/spring-boot/docs/2.3.5.RELEASE/reference/html/spring-boot-features.html#boot-features-logging for logging customizations.nullNo

Spring Framework Properties

ParameterDescriptionSuggested ValueRequired
spring.thymeleaf.prefixLocation of template files for Wallet selection and error pages. Can use external sources such as https://classpath:./templates/Yes
spring.web.resources.static-locationsLocation of static files such as css/html/javascript for template files.classpath:./static/Yes
spring.jackson.serialization.fail-on-empty-beansIf enabled or set to 'true', an exception is thrown to indicate empty objects as non-serializable types; if disabled (false), they are serialized as empty Objects, i.e. without any properties.falseYes
spring.jackson.mapper.default-view-inclusionAll properties not explicitly marked as being part of a JSON view, are serialized.trueYes
spring.main.allow-bean-definition-overridingWhether the Spring Framework allows existing Bean definitions to be overriden by new Beans with the same nametrueYes

Database Configuration

Database configuration for the authorization server.

ParameterDescriptionSuggested ValueRequired
spring.datasource.driver-class-nameDriver to use for DB connections (only mysql supported).com.mysql.cj.jdbc.DriverYes
spring.datasource.urlDriver to use for DB connections.jdbc:mysql://database-hostname/authserverYes
spring.datasource.usernameUsername for database connection.usernameYes
spring.datasource.passwordPassword for database connection.passwordYes
spring.jpa.open-in-viewEnable/Disable Spring open in view.falseYes
spring.jpa.hibernate.dialectSpring hibernate dialect (only MySQL supported).org.hibernate.dialect.MySQL5InnoDBDialectYes
spring.jpa.hibernate.show_sqlShow all SQL queries that are run against the database source in the logs.falseNo
spring.jpa.hibernate.generate_ddlA flag that determines whether a SQL Database should be initialized at start-up.trueYes
spring.jpa.hibernate.ddl-autoThere are two options to manage the underlying database schema when working with JPA and Hibernate (leveraged by all backend IDENTOS components):
1) You can encapsulate schema changes in migration scripts and use a tool, like Flyway, to apply the migration scripts upon starting the application. This is the method we will use to generate and update the schema for the authorization server and the Admin Server.
2) You can generate or update the database schema from the JPA and Hibernate entity mappings (extrapolate the domain classes/entity mappings of the deployed server and auto generate the database schema) the using the hbm2ddl.auto tool. We will not use this method to generate the schema for any of the components. This is why the value for this field should be set to "validate" as this option instructs Hibernate to ONLY validate the underlying database schema against the entity mappings.
validateYes
spring.flyway.locationsLocation for DB migration scripts.classpath:db/migration,classpath:db/developmentYes

OAuth 2 Configuration Settings

Configuration parameters required to successfully set up the OAuth 2 protocol.

ParameterDescriptionSuggested ValueRequired
oauth2-config.client.callback_endpointEndpoint used on callbacks with the Authorization Server in its role as an OAuth client/oauth2/callbackYes
oauth2-config.provider.issuerIssuer URL used by the Authorization Server for the OAuth 2 ProtocolAS Server Domain NameYes
oauth2-config.provider.register_endpointEndpoint for Dynamic Client Registration/oauth2/registerYes
oauth2-config.provider.authorize_endpointDefines the OAuth 2 authorization endpoint of the Authorization Server. It needs to be appended to the issuer URL defined in the parameter above/oauth2/authorizeYes
oauth2-config.provider.token_endpointURL of the Authorization Server's token endpoint/oauth2/tokenYes
oauth2-config.provider.jwks_endpointURL of the Authorization Server's JWK Set document, containing the signing keys the client uses to validate signatures from the Authorization Server/jwksYes
oauth2-config.provider.configuration_endpointPath to OIDC configuration endpoint/.well-known/openid-configurationYes
oauth2-config.provider.account_endpointPath to OIDC account endpoint/accountYes
oauth2-config.provider.web_authn_endpointPath to OIDC web authentication endpoint/authenticateYes
oauth2-config.provider.introspection_endpointURL of the Authorization Server's OAuth 2.0 introspection endpoint/oauth2/introspectYes
oauth2-config.provider.userinfo_endpointURL of the Authorization Server's userinfo endpoint/api/userinfoYes
oauth2-config.provider.fetch_and_attach_userinfoWhether to fetch and attach userinfotrueYes
oauth2-config.provider.consent_endpointURL of the Authorization Server's OIDC consent endpoint/discover/consentYes
oauth2-config.provider.consent_view_pageIdentifier of the html template to use when displaying the consent pageoidc_authorizeYes
oauth2-config.provider.custom_grant_typesCustom grant types may be specified hereNo

OIDC Configuration Settings

OIDC configuration settings including both client / sever settings.

ParameterDescriptionSuggested ValueRequired
oidc-config.client.clientDomainThis must be set to the host address of the Authorization Server itself. This, along with the value set for oidc-config.client.callbackEndpoint are appended to build the redirect URI parameter as part of its OIDC transaction with the Wallet Server (an OIDC relationship where Wallet Server is the provider to the Authorization Server).https://authorizationserver.comYes
oidc-config.client.responseTypeOIDC response type on successful token endpoint call. Suggested value causes an id_token return at the token endpoint.id_tokenYes
oidc-config.client.scopeScope applied to the initial OAuth authorize call made by the Authorization Server to the Wallet to create an outgoing identity request - enabling user to log in to FPX.openidYes
oidc-config.client.callbackEndpointPath to OIDC callback endpoint for generating an authorization code after authentication./transaction/callbackYes

UMA Configuration Settings

UMA configuration settings including endpoint and supported grant types.

ParameterDescriptionSuggested ValueRequired
uma-config.issuerIssuer of tokens generated by the server, should be the location of the Authorization Server itself.https://authorizationserver.comYes
uma-config.registrationEndpointPath to UMA registration endpoint./registerYes
uma-config.configurationEndpointPath to UMA configuration discovery endpoint./.well-known/uma2-configurationYes
uma-config.jwksEndpointPath to UMA JWKS endpoint./jwksYes
uma-config.tokenEndpointPath to UMA token introspection endpoint./transaction/introspectYes
uma-config.introspectionEndpointPath to UMA introspection endpoint./transaction/introspectYes
uma-config.claimsGatheringEndpointPath to UMA claims gathering endpoint./transaction/claims-gatheringYes
uma-config.revocationEndpointPath to UMA revocation endpoint./transaction/revocationYes
uma-config.capabilityEndpointPath to UMA capability endpoint./transaction/capabilityYes
uma-config.permissionEndpointPath to UMA permissions endpoint./transaction/permissionYes
uma-config.grantTypesSupportedGrant types supported.["client_credentials", "urn:ietf:params:oauth:grant-type:uma-ticket", "refresh_token"]Yes
uma-config.authzEndpointPath to UMA authorization endpoint./transaction/authorizeYes
uma-config.callbackEndpointPath to UMA callback endpoint./transaction/callbackYes
uma-config.permissionUpdateEndpointPath to UMA permission update endpoint./permissionYes
uma-config.permissionAccessTokenEndpointPath to UMA permission token endpoint./permission/tokenYes

SMART on FHIR Configuration Settings

ParameterDescriptionSuggested ValueRequired
smart-config.enabledSMART on FHIR enabled flagtrueYes
smart-config.issuerSMART on FHIR token issuer, should be the URL to the Authorization Server.https://authorizationserver.comYes
smart-config.registration_endpointSMART on FHIR registration endpoint./registerYes
smart-config.authorization_endpointSMART on FHIR authorize endpoint./oauth2/authorizeYes
smart-config.wellknown.basepathBase path for SMART on FHIR well known path./oauth2/.well-knownYes
smart-config.wellknown.configuration_endpointPath to OAuth 2.0 configuration discovery endpoint. This is appended to {smart-config.wellknown.basepath}/openid-configurationYes
smart-config.wellknown.jwks_endpointSMART on FHIR JWKS endpoint./jwksYes
smart-config.token_endpointSMART on FHIR token endpoint./transaction/tokenYes
smart-config.introspection_endpointSMART on FHIR introspection endpoint./transaction/introspectYes
smart-config.launch.resourceTypePatternThe REGEX pattern with which SMART resources' type parameter must conform to.((httphttps)://){0,1}(www.){0,1}hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html
smart-config.launch.resourceTypeURLStatic resource type of the SMART launch resource, shared when attempting to access information in order to use a SMART on FHIR app.http://hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.htmlYes

FPX Server Configuration Settings

Base Authorization Server configuration, including registry endpoints and Wallet usage configuration.

ParameterDescriptionSuggested ValueRequired
fpx-config.versionEndpointEndpoint to display the FPX version./.well-known/fpx-versionYes
fpx-config.wallet.walletSelectPageEndpoint to display the Wallet selection template page./select-walletYes
fpx-config.wallet.walletSelectSubmitEndpointEndpoint where the Wallet selection template page will be submitted./submit-brokerYes
fpx-config.wallet.rememberWalletFeatureEnabledEnable or disable the remember wallet feature within the selection template.falseYes
fpx-config.registry.basePathBase path for all registry endpoints./registry 1Yes
fpx-config.registry.clients.walletEndpointRegistry endpoint for Wallets./walletYes
fpx-config.registry.clients.umaClientEndpointRegistry endpoint for UMA clients./clientYes
fpx-config.registry.clients.rsEndpointRegistry endpoint for resource servers./resource-serverYes
fpx-config.registry.clients.idpEndpointRegistry endpoint for identity providers./identity-providerYes
fpx-config.registry.resources.resourceEndpointRegistry endpoint for resources./resourceYes
fpx-config.registry.resources.resourceDefinitionEndpointRegistry endpoint for resource definitions./resource/resource_definitionYes
fpx-config.registry.resources.ticketEndpointRegistry endpoint for tickets./ticketYes
ParameterDescriptionSuggested ValueRequired
fpx.oidc.client.stateSessionKeyKey to use for session state parameterfpx-csrf-keyYes
fpx.oidc.client.ignoreCsrfCheckWhether to not perform a cross-site request forgery checkfalseYes
fpx.oidc.client.pkce.enforcedWhether to enforce the use of proof key for code exchangefalseYes
fpx.oidc.provider.self-hosted.enabledWhether the Authorization Server will act as an identity providertrueYes
fpx.oidc.provider.federated.enabledWhether the Authorization Server will federate to an external identity providerfalseYes
fpx.oidc.provider.federated.federated_issuerThe issuer URL to use when the federation setting is enabledhttps://keycloak.dev.identos.ca/auth/realms/identos-qaYes
fpx.oidc.provider.uma.enabledWhether the Authorization Server will use UMA protocoltrueYes
fpx.oidc.provider.JWT-token.enabledWhether the Authorization Server will use JWTstrueYes
fpx.oidc.provider.jwt.defaultKeyIdThe default ID key for the JWTrsa1Yes
fpx.oidc.provider.pkce.enforcedWhether to enforce the use of proof key for code exchangefalseYes
fpx.security.authority.introspectionGranted authority to use for introspectionuma_protectionYes

Server defaults and expiry values

Basic defaults incuding token length and expiry for those same tokens.

ParameterDescriptionSuggested ValueRequired
default.expiry-duration-params.resourceDefinitionExpirySecondsResource definition maximum expiry when shared in seconds.1800000Yes
default.expiry-duration-params.accessTokenLifetimeSecondsAccess token expiry in seconds.300Yes
default.expiry-duration-params.refreshTokenLifetimeSecondsRefresh token expiry in seconds.300Yes
default.expiry-duration-params.accountSessionTokenLifetimeInSecondsAccount session token expiry in seconds.3600000000Yes
default.expiry-duration-params.agentOidcRequestLifetimeInSecondsWallet OIDC request expiry in seconds.25920000Yes
default.expiry-duration-params.patAccessTokenLifetimeInSecondsPermission access token expiry for Resource Servers in seconds.5000Yes
default.length-params.permissionTokenLengthString length of the randomly generated IDs of permissions.16Yes
default.length-params.capabilityLengthString length of the randomly generated IDs of capabilities.20Yes
default.length-params.accountSessionTokenLengthString length of the randomly generated IDs of account session tokens.24Yes
default.length-params.umaRequestIdLengthString length of the randomly generated IDs of UMA requests.24Yes

authorizationApi.application.config

The authorizationApi.application.config parameter is used to define the main elements for the Authorization Server API - the administrative API for the Authorization Server. Without clearly defining these parameters, the setup of the AS API will fail and limit the integration of the other parties with the Authorization Server.

Below is a sample code block illustrating the common values defined in authorizationApi.application.config followed by a table that provides details and descriptions for each sub-parameter. The most important configuration is to ensure that the Authorization Server API database section points to the same database as the Authorization Server.

Note that the values shown for spring.datasource.username and spring.datasource.password are placeholders and should be replaced with credentials for the specific database used in your deployment.

server.port: 8080
server.error.include-binding-errors: ALWAYS
server.error.include-exception: true
server.error.include-message: ALWAYS
server.error.include-stacktrace: ALWAYS

logging:
level:
com.identos.wallet.admin: DEBUG
org.springframework.web: DEBUG
org.hibernate.SQL: DEBUG
org.hibernate.type: TRACE

spring.jpa.properties.hibernate.format_sql: true

as-admin:
staticToken: {{WS_ADMIN_STATIC_TOKEN}}

spring:
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://fpx-staging-fpx-mysql.fpx-staging.svc.cluster.local:3306/authserver
username: {{DATABASE_USERNAME}}
password: {{DATABASE_PASSWORD}}
output.ansi.enabled: ALWAYS
jpa:
generate-ddl: false
hibernate:
ddl-auto: validate
show-sql: true
naming.physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl

elide:
modelPackage: 'com.identos.idn.entity'
pageSize: 1000
maxPageSize: 10000
json-api:
path: /json-api
enabled: true
graphql:
path: /graphql/api/v1
enabled: false
swagger:
path: /json-api/openapi
enabled: true
version: "v1.0"
name: AuthServer Admin API

Logging and Response Output

These settings control what should be logged and at what level of detail, as well as the information returned in Wallet Admin API error responses. Because this is an Admin API, we are not concerned with stack traces and application internals being returned in responses. Therefore, these can be left as default for the majority of use cases.

ParameterDescriptionSuggested ValueRequired
server.error.include-binding-errorsThe server will not be prevented from including binding errors in error response payloadsALWAYSNo
server.error.include-exceptionThe server will not be prevented from including exceptions in error response payloadstrueNo
server.error.include-messageThe server will not be prevented from including messages in error response payloadsALWAYSNo
server.error.include-stacktraceThe server will not be prevented from including stack traces in error response payloadsALWAYSNo
logging.level.com.identos.wallet.adminControls the level at which the Wallet Admin API logs will be outputDEBUGNo
logging.level.org.springframework.webControls the level at which the Spring framework Web logs will be outputDEBUGNo
logging.level.org.hibernate.SQLControls the level at which the Hibernate framework SQL logs will be outputDEBUGNo
logging.level.org.hibernate.typeControls the level at which the Hibernate framework SQL binding type logs will be outputDEBUGNo
spring.jpa.properties.hibernate.format_sqlThis will format the SQL that is output to the logs to make it more readabletrueNo

Authentication Token Configuration

ParameterDescriptionSuggested ValueRequired
as-admin.staticTokenDefines the value of the static token that the Auth Admin API will expect to be included as an Authorization header on all requestsa UUIDYes

Database Configuration

Database configuration for the Authorization Server API.

ParameterDescriptionSuggested ValueRequired
spring.datasource.driver-class-nameMySQL Driver name.com.mysql.cj.jdbc.DriverYes
spring.datasource.urlDriver to use for DB connections.jdbc:mysql://fpx-staging-fpx-mysql.fpx-staging.svc.cluster.local:3306/authserverYes
spring.datasource.usernameUsername for database connection.rootYes
spring.datasource.passwordPassword for database connection.passwordYes
spring.jpa.hibernate.dialectSpring hibernate dialect (only MySQL supported).org.hibernate.dialect.MySQL5InnoDBDialectYes
spring.jpa.generate-ddlA flag that determines whether a SQL Database should be initialized at start-up.falseYes
spring.jpa.hibernate.ddl-autoThere are two options to manage the underlying database schema when working with JPA and Hibernate (leveraged by all backend IDENTOS components):
1) You can encapsulate schema changes in migration scripts and use a tool, like Flyway, to apply the migration scripts upon starting the application. This is the method we will use to generate and update the schema for the authorization server and the Admin Server.
2) You can generate or update the database schema from the JPA and Hibernate entity mappings (extrapolate the domain classes/entity mappings of the deployed server and auto generate the database schema) the using the hbm2ddl.auto tool. We will not use this method to generate the schema for any of the components. This is why the value for this field should be set to "validate" as this option instructs Hibernate to ONLY validate the underlying database schema against the entity mappings.
validateYes

JSON API Configuration

The parameters under the elide section are used to expose JSON APIs and configure their URL paths. IDENTOS recommends that these be left at the default values. For more information, refer to Elide Setup.