Admin API Application Config
The authorizationApi.application.config parameter is used to define the main elements for the Authorization Server API - the administrative API for the Authorization Server.
Without clearly defining these parameters, the setup of the AS API will fail and limit the integration of the other parties with the Authorization Server.
Below is a sample code block illustrating the common values defined in authorizationApi.application.config followed by a table that provides details and descriptions for each sub-parameter. The most important configuration is to ensure that the Authorization Server API database section points to the same database as the Authorization Server.
Note that the values shown for spring.datasource.username and spring.datasource.password are placeholders and should be replaced with credentials for the specific database used in your deployment.
server.port: 8080
server.error.include-binding-errors: ALWAYS
server.error.include-exception: true
server.error.include-message: ALWAYS
server.error.include-stacktrace: ALWAYS
management:
endpoint:
health:
livenessState.enabled: true
readinessState.enabled: true
probes:
enabled: true
endpoints:
web:
exposure:
include: "health"
logging:
level:
com.sbic.idn: DEBUG
org.springframework.web: DEBUG
org.hibernate.SQL: DEBUG
org.hibernate.type: TRACE
spring.jpa.properties.hibernate.format_sql: true
as-admin:
staticTokens:
- {{AS_ADMIN_STATIC_TOKEN}}
- {{ANOTHER_AS_ADMIN_STATIC_TOKEN}}
spring:
session:
store-type: jdbc
jdbc:
initialize-schema: always
table-name: SPRING_SESSION
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://fpx-staging-fpx-mysql.fpx-staging.svc.cluster.local:3306/authserver
username: {{DATABASE_USERNAME}}
password: {{DATABASE_PASSWORD}}
output.ansi.enabled: ALWAYS
jpa:
generate-ddl: false
hibernate:
ddl-auto: validate
show-sql: true
naming.physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
elide:
modelPackage: 'com.sbic.idn.entity'
pageSize: 1000
maxPageSize: 10000
json-api:
path: /json-api
enabled: true
graphql:
path: /graphql/api/v1
enabled: false
swagger:
path: /json-api/openapi
enabled: true
version: "v1.0"
name: AuthServer Admin API
Spring Actuator Configuration
Make the following configurations to enable Spring Actuator and monitor the health of the Authorization Server. By default, these
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| management.endpoint.health.livenessState.enabled | This parameter configures whether the liveness state health check is enabled or not. | true | No |
| management.endpoint.health.readinessState.enabled | This parameter configures whether the readiness state health check is enabled or not. | true | No |
| management.endpoint.health.probes.enabled | This parameter configures whether the liveness and readiness probes are enabled or disabled. The value should be in Boolean, which means when the value is set to "true", the health probes will be enabled. This parameter is inter-related to the management.endpoint.health.livenessState.enabled and management.endpoint.health.readinessState.enabled parameters described above which means that the value of one of these parameters along with the value of management.endpoint.health.probes.enabled must be set to true for the functionality to work. | true | No |
| endpoints.web.exposure.include | There are various actuator endpoints that allow us to monitor and interact with the application. Each endpoint can be enabled and disabled individually. This parameter allows us to configure the specific actuator endpoint that we need enabled. In this case, the "health" endpoint is being enabled to get information on the health of the application. | health | No |
Logging and Response Output
These settings control what should be logged and at what level of detail, as well as the information returned in Authorization Server Admin API error responses. Because this is an Admin API, we are not concerned with stack traces and application internals being returned in responses. Therefore, these can be left as default for the majority of use cases.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| server.error.include-binding-errors | The server will not be prevented from including binding errors in error response payloads. | ALWAYS | No |
| server.error.include-exception | The server will not be prevented from including exceptions in error response payloads. | true | No |
| server.error.include-message | The server will not be prevented from including messages in error response payloads. | ALWAYS | No |
| server.error.include-stacktrace | The server will not be prevented from including stack traces in error response payloads. | ALWAYS | No |
| logging.level.com.sbic.idn | Controls the level at which the Authorization Server Admin API logs will be output. | DEBUG | No |
| logging.level.org.springframework.web | Controls the level at which the Spring framework Web logs will be output. | DEBUG | No |
| logging.level.org.hibernate.SQL | Controls the level at which the Hibernate framework SQL logs will be output. | DEBUG | No |
| logging.level.org.hibernate.type | Controls the level at which the Hibernate framework SQL binding type logs will be output. | DEBUG | No |
| spring.jpa.properties.hibernate.format_sql | This will format the SQL that is output to the logs to make it more readable. | true | No |
Authentication Token Configuration
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| as-admin.staticTokens | Defines an array of values for static authorization tokens. The Authorization Server Admin API will expect one of these values to be included as an Authorization header on all requests. | a UUID | Yes |
Database Configuration
Database configuration for the Authorization Server API.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| spring.session.store-type | Session store type. | jdbc | No |
| spring.session.jdbc.initialize-schema | Database schema initialization mode. | always | No |
| spring.session.jdbc.table-name | Name of the database table used to store sessions. | SPRING_SESSION | No |
| spring.datasource.driver-class-name | MySQL Driver name. | com.mysql.cj.jdbc.Driver | Yes |
| spring.datasource.url | Driver to use for DB connections. | jdbc:mysql://fpx-staging-fpx-mysql.fpx-staging.svc.cluster.local:3306/authserver | Yes |
| spring.datasource.username | Username for database connection. | root | Yes |
| spring.datasource.password | Password for database connection. | password | Yes |
| spring.jpa.hibernate.dialect | Spring hibernate dialect (only MySQL supported). | org.hibernate.dialect.MySQL5InnoDBDialect | Yes |
| spring.jpa.generate-ddl | A flag that determines whether a SQL Database should be initialized at start-up. | false | Yes |
| spring.jpa.hibernate.ddl-auto | There are two options to manage the underlying database schema when working with JPA and Hibernate (leveraged by all backend IDENTOS components): 1) You can encapsulate schema changes in migration scripts and use a tool, like Flyway, to apply the migration scripts upon starting the application. This is the method we will use to generate and update the schema for the authorization server and the Admin Server. 2) You can generate or update the database schema from the JPA and Hibernate entity mappings (extrapolate the domain classes/entity mappings of the deployed server and auto generate the database schema). We will not use this method to generate the schema for any of the components. This is why the value for this field should be set to "validate" as this option instructs Hibernate to ONLY validate the underlying database schema against the entity mappings. | validate | Yes |
JSON API Configuration
The parameters under the elide section are used to expose JSON APIs and configure their URL paths. IDENTOS recommends that these be left at the default values. For more information, refer to Elide Setup.