Application Config
The authorizationServer.application.config Helm chart property group contains multiple sub-parameters that are essential for the proper configuration and set up of the Authorization Server.
Below is a sample code block illustrating the common values defined in authorizationServer.application.config, followed by tables that provide details and descriptions for each sub-parameter.
server.port: 8080
server.tomcat.remote_ip_header: x-forwarded-for
server.tomcat.protocol_header: x-forwarded-proto
server.error.whitelabel.enabled: false
jwt:
keystore:
signerAlg: RS256
i18n:
defaultLang: en
allLanguages: fr, en, es
basename: classpath:./i18n/messages
cacheEvictFixedRateString: PT8H
logging:
level:
com.identos.idn: DEBUG
org.hibernate.SQL: DEBUG
org.hibernate.type: TRACE
location: ../logs
spring:
main:
allow-bean-definition-overriding: true
thymeleaf:
prefix: classpath:./templates/
mvc:
throw-exception-if-no-handler-found: true
pathmatch.matching-strategy: ant_path_matcher
web:
resources:
add-mappings: false
jackson:
serialization.fail-on-empty-beans: false
mapper.default-view-inclusion: true
session:
store-type: jdbc
jdbc:
initialize-schema: always
table-name: SPRING_SESSION
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://fpx-staging-fpx-mysql.fpx-staging.svc.cluster.local/authserver?useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC
username: root
password: password
jpa:
open-in-view: false
hibernate:
dialect: org.hibernate.dialect.MySQL5InnoDBDialect
show_sql: false
generate_ddl: true
ddl-auto: validate
naming.physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
flyway:
locations: classpath:db/migration,classpath:db/development
as-server-domain: https://authserver.fpx-staging.dev.identos.ca
uma:
wellknown:
issuer: ${as-server-domain}
oauth2-config:
client:
callback_endpoint: /oauth2/callback
provider:
issuer: ${as-server-domain}
register_endpoint: /oauth2/register
authorize_endpoint: /oauth2/authorize
token_endpoint: /oauth2/token
token_revocation_endpoint : `${oauth2-config.provider.token_endpoint}/revoke`
jwks_endpoint: /jwks
configuration_endpoint: /.well-known/openid-configuration
account_endpoint: /account
web_authn_endpoint: /authenticate
introspection_endpoint: /oauth2/introspect
userinfo_endpoint: /api/userinfo
fetch_and_attach_userinfo: true
consent_endpoint: /discover/consent
consent_view_page: oidc_authorize
custom_grant_types:
- test
- anotherone
oidc-config:
client:
clientDomain: ${as-server-domain}
responseType: id_token
scope: "openid"
callback_endpoint: $${oauth2-config.client.callback_endpoint}
uma-config:
issuer: ${as-server-domain}
registrationEndpoint: $${oauth2-config.provider.register_endpoint}
configurationEndpoint: /.well-known/uma2-configuration
jwksEndpoint: /jwks
tokenEndpoint: /transaction/token
introspectionEndpoint: $${oauth2-config.provider.introspection_endpoint}
claimsGatheringEndpoint: /transaction/claims-gathering
revocationEndpoint: /transaction/revocation
capabilityEndpoint: /transaction/capability
permissionEndpoint: /transaction/permission
grantTypesSupported:
- client_credentials
- urn:ietf:params:oauth:grant-type:uma-ticket
- refresh_token
authzEndpoint: $${oauth2-config.provider.authorize_endpoint}
callbackEndpoint: $${oauth2-config.client.callback_endpoint}
permissionUpdateEndpoint: /permission
permissionAccessTokenEndpoint: ${uma-config.permissionUpdateEndpoint}/token
smart-config:
enabled: true
implicitFlowEnabled: false
issuer: ${as-server-domain}
registration_endpoint: $${oauth2-config.provider.register_endpoint}
authorization_endpoint: ${uma-config.authzEndpoint}
wellknown:
basePath: /oauth2/.well-known
configuration_endpoint: /openid-configuration
jwks_endpoint: /jwks
token_endpoint: ${uma-config.tokenEndpoint}
introspection_endpoint: ${uma-config.introspectionEndpoint}
launch:
resourceTypePattern: ((http|https)://){0,1}(www.){0,1}hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html
resourceTypeURL: http://hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html
resourceDefinitionTypePattern: https://www.hl7.org/fhir/[RESOURCE_TYPE].html
# FPX specific configuration + configuration shared between multiple protocols
fpx-config:
versionEndpoint: /.well-known/fpx/version
wallet:
walletSelectPage: /select-wallet
walletSelectSubmitEndpoint: /submit-broker
rememberWalletFeatureEnabled: false
registry:
basePath: /registry
clients:
walletEndpoint: /wallet
umaClientEndpoint: /client
rsEndpoint: /resource-server
idpEndpoint: /identity-provider
resources:
resourceEndpoint: /resource
resourceDefinitionEndpoint: ${fpx-config.registry.resources.resourceEndpoint}/resource_definition
ticketEndpoint: /ticket
resources:
select-wallet:
css: style.css
logo: logo
fpx:
oidc:
client:
stateSessionKey: fpx-csrf-key
ignoreCsrfCheck: false
pkce:
enforced: false
provider:
self-hosted:
enabled: true
federated:
enabled: false
federated_issuer: {OIDC Provider}
uma:
enabled: true
JWT-token:
enabled: true
jwt:
defaultKeyId: rsa1
pkce:
enforced: false
revoke-token:
enabled : true
security:
authority:
introspection: uma_protection
default:
expiry-duration-params:
resourceDefinitionExpirySeconds: 1800000
accessTokenLifetimeSeconds: 300
refreshTokenLifetimeSeconds: 1800000
accountSessionTokenLifetimeInSeconds: 3600000000
agentOidcRequestLifetimeInSeconds : 25920000
patAccessTokenLifetimeInSeconds: 5000
length-params:
permissionTokenLength: 16
capabilityLength: 20
accountSessionTokenLength: 24
umaRequestIdLength: 24
app:
name: Identos
logo: identos.png
error-page-redirect-url: ${as-server-domain}
error-page-title: Error
Global Server Parameters
Configuration directives that are used for overall application configuration.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| server.port | Application port to listen for client connections on. | 8080 | Yes |
| server.tomcat.remote_ip_header | Header to use as remote IP address for client connections. | x-forwarded-for | No |
| server.tomcat.protocol_header | Header to use as remote protocol for client connections. | x-forwarded-proto | No |
| server.error.whitelabel.enabled | Whether the server will display a generic error page | false | No |
| jwt.keystore.signerAlg | The algorithm to use when signing JWTs | RS256 | Yes |
Localization
Configuration directives for localization support.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| i18n.defaultLang | Default language used for localization. | en | Yes |
| i18n.allLanguages | Comma separated list of language strings to support localization for i.e. "en, fr". | en | Yes |
| i18n.basename | Location for localization strings to use in static template files. | classpath:./i18n/messages | Yes |
| i18n.cacheEvictFixedRateString: | Defines the frequency for cached localized string (locale,key) to be evicted and re-located from a source. | PT8H | No |
Logging
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| logging | See https://docs.spring.io/spring-boot/docs/2.3.5.RELEASE/reference/html/spring-boot-features.html#boot-features-logging for logging customizations. | null | No |
| logging.level.com.identos | Controls the level at which the application's configured loggers will be permitted to log. This applies only to loggers that exist in a package that begins with "com.identos". | DEBUG | No. If not set, defaults to INFO level |
| logging.config | Sets the configuration file for application logging. This value will output structured logs in compressed, single-line JSON format. To view the logs in a human-readable format (i.e. for development purposes), this value can be set to classpath:logback-dev.xml. | classpath:logback-spring.xml | No. If not set, defaults to classpath:logback-spring.xml. |
Spring Framework Properties
Configuration for the Spring framework. Additional information on these properties can be found here.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| spring.main.allow-bean-definition-overriding | Whether the Spring Framework allows existing Bean definitions to be overridden by new Beans with the same name. | true | Yes |
| spring.thymeleaf.prefix | Location of template files for Wallet selection and error pages. Can use external sources such as https:// | classpath:./templates/ | Yes |
| spring.mvc.throw-exception-if-no-handler-found | Returns an exception for 404 errors and allows the administrator to define a custom response | true | Yes |
| spring.mvc.pathmatch.matching-strategy | This parameter is related to the spring.web.resources.add-mappings parameter and enables mapping via an ant path. | ant_path_matcher | Yes |
| spring.web.resources.add-mappings | Defines whether to use spring default resource mappings - default mappings have been replaced with specifically configured mappings | false | Yes |
| spring.jackson.serialization.fail-on-empty-beans | If enabled or set to 'true', an exception is thrown to indicate empty objects as non-serializable types; if disabled (false), they are serialized as empty Objects, i.e. without any properties. | false | Yes |
| spring.jackson.mapper.default-view-inclusion | All properties not explicitly marked as being part of a JSON view, are serialized. | true | Yes |
Database Configuration
Database configuration for the authorization server.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| spring.session.store-type | Session store type. | jdbc | No |
| spring.session.jdbc.initialize-schema | Database schema initialization mode. | always | No |
| spring.session.jdbc.table-name | Name of the database table used to store sessions. | SPRING_SESSION | No |
| spring.datasource.driver-class-name | Driver to use for DB connections (only mysql supported). | com.mysql.cj.jdbc.Driver | Yes |
| spring.datasource.url | Connection string to use for DB connections. | jdbc:mysql://database-hostname/authserver | Yes |
| spring.datasource.username | Username for database connection. | username | Yes |
| spring.datasource.password | Password for database connection. | password | Yes |
| spring.jpa.open-in-view | Enable/Disable Spring open in view. | false | Yes |
| spring.jpa.hibernate.dialect | Spring hibernate dialect (only MySQL supported). | org.hibernate.dialect.MySQL5InnoDBDialect | Yes |
| spring.jpa.hibernate.show_sql | Show all SQL queries that are run against the database source in the logs. | false | No |
| spring.jpa.hibernate.generate_ddl | A flag that determines whether a SQL Database should be initialized at start-up. | true | Yes |
| spring.jpa.hibernate.ddl-auto | There are two options to manage the underlying database schema when working with JPA and Hibernate (leveraged by all backend IDENTOS components): 1) You can encapsulate schema changes in migration scripts and use a tool, like Flyway, to apply the migration scripts upon starting the application. This is the method we will use to generate and update the schema for the authorization server and the Admin Server. 2) You can generate or update the database schema from the JPA and Hibernate entity mappings (extrapolate the domain classes/entity mappings of the deployed server and auto generate the database schema) the using the hbm2ddl.auto tool. We will not use this method to generate the schema for any of the components. This is why the value for this field should be set to "validate" as this option instructs Hibernate to ONLY validate the underlying database schema against the entity mappings. | validate | Yes |
| spring.flyway.locations | Location for DB migration scripts. | classpath:db/migration,classpath:db/development | Yes |
OAuth 2 Configuration Settings
Configuration parameters required to successfully set up the OAuth 2 protocol.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
oauth2-config.client.callback_endpoint | Endpoint used on callbacks with the Authorization Server in its role as an OAuth client. | /oauth2/callback | Yes |
oauth2-config.provider.issuer | Issuer URL used by the Authorization Server for the OAuth 2 protocol. | AS Server Domain Name | Yes |
oauth2-config.provider.register_endpoint | Endpoint for Dynamic Client Registration. | /oauth2/register | Yes |
oauth2-config.provider.authorize_endpoint | Defines the OAuth 2 authorization endpoint of the Authorization Server. It needs to be appended to the issuer URL defined in the parameter above. | /oauth2/authorize | Yes |
oauth2-config.provider.token_endpoint | URL of the Authorization Server's token endpoint. | /oauth2/token | Yes |
oauth2-config.provider.jwks_endpoint | URL of the Authorization Server's JWK Set document, containing the signing keys the client uses to validate signatures from the Authorization Server. | /jwks | Yes |
oauth2-config.provider.configuration_endpoint | Path to OIDC configuration endpoint. | /.well-known/openid-configuration | Yes |
oauth2-config.provider.account_endpoint | Path to OIDC account endpoint. | /account | Yes |
oauth2-config.provider.web_authn_endpoint | Path to OIDC web authentication endpoint. | /authenticate | Yes |
oauth2-config.provider.introspection_endpoint | URL of the Authorization Server's OAuth 2.0 introspection endpoint. | /oauth2/introspect | Yes |
oauth2-config.provider.userinfo_endpoint | URL of the Authorization Server's userinfo endpoint. | /api/userinfo | Yes |
oauth2-config.provider.fetch_and_attach_userinfo | Whether to fetch and attach userinfo. | true | Yes |
oauth2-config.provider.consent_endpoint | URL of the Authorization Server's OIDC consent endpoint. | /discover/consent | Yes |
oauth2-config.provider.consent_view_page | Identifier of the HTML template to use when displaying the consent page. | oidc_authorize | Yes |
oauth2-config.provider.custom_grant_types | Custom grant types may be specified here. | No | |
oauth2-config.provider.token_revocation_endpoint | Path to token revocation API if enabled | ${oauth2-config.provider.token_endpoint}/revoke | No |
OIDC Configuration Settings
OIDC configuration settings including both client / server settings.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| oidc-config.client.clientDomain | This must be set to the host address of the Authorization Server itself. This, along with the value set for oidc-config.client.callbackEndpoint are appended to build the redirect URI parameter as part of its OIDC transaction with the Wallet Server (an OIDC relationship where Wallet Server is the provider to the Authorization Server). | https://authorizationserver.com | Yes |
| oidc-config.client.responseType | OIDC response type on successful token endpoint call. Suggested value causes an id_token return at the token endpoint. | id_token | Yes |
| oidc-config.client.scope | Scope applied to the initial OAuth authorize call made by the Authorization Server to the Wallet to create an outgoing identity request - enabling user to log in to FPX. | openid | Yes |
| oidc-config.client.callbackEndpoint | Path to OIDC callback endpoint for generating an authorization code after authentication. | /transaction/callback | Yes |
Application Settings
General application settings that are relate to html pages served directly from the Authorization Server, such as error pages.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| app.name | Name of the application displayed on the error page. | Sample Application | No |
| app.logo | Filename of the image to be used as the application logo. | logo.png | No |
| app.error-page-redirect-url | Redirect URL when redirecting from the default error page. | Yes | |
| app.error-page-title | Name of the error page as displayed on the error page header. | Error | No |
UMA Configuration Settings
UMA configuration settings including endpoint and supported grant types.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| uma-config.issuer | Issuer of tokens generated by the server, should be the location of the Authorization Server itself. | https://authorizationserver.com | Yes |
| uma-config.registrationEndpoint | Path to UMA registration endpoint. | /register | Yes |
| uma-config.configurationEndpoint | Path to UMA configuration discovery endpoint. | /.well-known/uma2-configuration | Yes |
| uma-config.jwksEndpoint | Path to UMA JWKS endpoint. | /jwks | Yes |
| uma-config.tokenEndpoint | Path to UMA token introspection endpoint. | /transaction/introspect | Yes |
| uma-config.introspectionEndpoint | Path to UMA introspection endpoint. | /transaction/introspect | Yes |
| uma-config.claimsGatheringEndpoint | Path to UMA claims gathering endpoint. | /transaction/claims-gathering | Yes |
| uma-config.revocationEndpoint | Path to UMA revocation endpoint. | /transaction/revocation | Yes |
| uma-config.capabilityEndpoint | Path to UMA capability endpoint. | /transaction/capability | Yes |
| uma-config.permissionEndpoint | Path to UMA permissions endpoint. | /transaction/permission | Yes |
| uma-config.grantTypesSupported | Grant types supported. | ["client_credentials", "urn:ietf:params:oauth:grant-type:uma-ticket", "refresh_token"] | Yes |
| uma-config.authzEndpoint | Path to UMA authorization endpoint. | /transaction/authorize | Yes |
| uma-config.callbackEndpoint | Path to UMA callback endpoint. | /transaction/callback | Yes |
| uma-config.permissionUpdateEndpoint | Path to UMA permission update endpoint. | /permission | Yes |
| uma-config.permissionAccessTokenEndpoint | Path to UMA permission token endpoint. | /permission/token | Yes |
SMART on FHIR Configuration Settings
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
smart-config.enabled | SMART on FHIR enabled flag | true | Yes |
smart-config.issuer | SMART on FHIR token issuer, should be the URL to the Authorization Server. | https://authorizationserver.com | Yes |
smart-config.registration_endpoint | SMART on FHIR registration endpoint. | /register | Yes |
smart-config.authorization_endpoint | SMART on FHIR authorize endpoint. | /oauth2/authorize | Yes |
smart-config.wellknown.basepath | Base path for SMART on FHIR well known path. | /oauth2/.well-known | Yes |
smart-config.wellknown.configuration_endpoint | Path to OAuth 2.0 configuration discovery endpoint. This is appended to {smart-config.wellknown.basepath} | /openid-configuration | Yes |
smart-config.wellknown.jwks_endpoint | SMART on FHIR JWKS endpoint. | /jwks | Yes |
smart-config.token_endpoint | SMART on FHIR token endpoint. | /transaction/token | Yes |
| smart-config.introspection_endpoint | SMART on FHIR introspection endpoint. | /transaction/introspect | Yes |
| smart-config.launch.resourceTypePattern | The REGEX pattern with which SMART resources' type parameter must conform to. | ((http|https)://)1(www.){0,1}hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html | Yes |
| smart-config.launch.resourceTypeURL | Static resource type of the SMART launch resource, shared when attempting to access information in order to use a SMART on FHIR app. | http://hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html | Yes |
FPX Server Configuration Settings
Base Authorization Server configuration, including registry endpoints and Wallet usage configuration.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| fpx-config.versionEndpoint | Endpoint to display the FPX version. | /.well-known/fpx-version | Yes |
| fpx-config.wallet.walletSelectPage | Endpoint to display the Wallet selection template page. | /select-wallet | Yes |
| fpx-config.wallet.walletSelectSubmitEndpoint | Endpoint where the Wallet selection template page will be submitted. | /submit-broker | Yes |
| fpx-config.wallet.rememberWalletFeatureEnabled | Enable or disable the remember wallet feature within the selection template. | false | Yes |
| fpx-config.registry.basePath | Base path for all registry endpoints. | /registry | Yes |
| fpx-config.registry.clients.walletEndpoint | Registry endpoint for Wallets. | /wallet | Yes |
| fpx-config.registry.clients.umaClientEndpoint | Registry endpoint for UMA clients. | /client | Yes |
| fpx-config.registry.clients.rsEndpoint | Registry endpoint for resource servers. | /resource-server | Yes |
| fpx-config.registry.clients.idpEndpoint | Registry endpoint for identity providers. | /identity-provider | Yes |
| fpx-config.registry.resources.resourceEndpoint | Registry endpoint for resources. | /resource | Yes |
| fpx-config.registry.resources.resourceDefinitionEndpoint | Registry endpoint for resource definitions. | /resource/resource_definition | Yes |
| fpx-config.registry.resources.ticketEndpoint | Registry endpoint for tickets. | /ticket | Yes |
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| fpx.oidc.client.stateSessionKey | Key to use for session state parameter. | fpx-csrf-key | Yes |
| fpx.oidc.client.ignoreCsrfCheck | Defines whether to not perform a cross-site request forgery check. | false | Yes |
| fpx.oidc.client.pkce.enforced | Defines whether to enforce the use of proof key for code exchange. | false | Yes |
| fpx.oidc.provider.self-hosted.enabled | Defines whether the Authorization Server will act as an identity provider. | true | Yes |
| fpx.oidc.provider.federated.enabled | Defines whether the Authorization Server will federate to an external identity provider. | false | Yes |
| fpx.oidc.provider.federated.federated_issuer | The issuer URL to use when the federation setting is enabled | {OIDC Provider} | Yes |
| fpx.oidc.provider.uma.enabled | Defines whether the Authorization Server will use UMA protocol. | true | Yes |
| fpx.oidc.provider.JWT-token.enabled | Defines whether the Authorization Server will use JWTs. | true | Yes |
| fpx.oidc.provider.jwt.defaultKeyId | The default ID key for the JWT. | rsa1 | Yes |
| fpx.oidc.provider.pkce.enforced | Defines whether to enforce the use of proof key for code exchange. | false | Yes |
| fpx.security.authority.introspection | Granted authority to use for introspection. | uma_protection | Yes |
| fpx.oidc.provider.revoke-token.enabled | Defines whether clients are able to Revoke access tokens and refresh tokens | true | No, default true |
Server defaults and expiry values
Basic defaults including token length and expiry for those same tokens.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| default.expiry-duration-params.resourceDefinitionExpirySeconds | Resource definition maximum expiry when shared in seconds. | 1800000 | Yes |
| default.expiry-duration-params.accessTokenLifetimeSeconds | Access token expiry in seconds. | 300 | Yes |
| default.expiry-duration-params.refreshTokenLifetimeSeconds | Refresh token expiry in seconds. | 300 | Yes |
| default.expiry-duration-params.accountSessionTokenLifetimeInSeconds | Account session token expiry in seconds. | 3600000000 | Yes |
| default.expiry-duration-params.agentOidcRequestLifetimeInSeconds | Wallet OIDC request expiry in seconds. | 25920000 | Yes |
| default.expiry-duration-params.patAccessTokenLifetimeInSeconds | Permission access token expiry for Resource Servers in seconds. | 5000 | Yes |
| default.length-params.permissionTokenLength | String length of the randomly generated IDs of permissions. | 16 | Yes |
| default.length-params.capabilityLength | String length of the randomly generated IDs of capabilities. | 20 | Yes |
| default.length-params.accountSessionTokenLength | String length of the randomly generated IDs of account session tokens. | 24 | Yes |
| default.length-params.umaRequestIdLength | String length of the randomly generated IDs of UMA requests. | 24 | Yes |