| Table of Contents |
|---|
...
The Swedish BankID authentication adapter is a standalone application which is deployed alongside Ubisecure SSO. It can be deployed to the same or different server. Currently, it is suggested that the application is deployed into the same server with Ubisecure SSO. Download the JAR file and on Linux for example, stored place it under
| Code Block |
|---|
/usr/local/ubisecure/ubilogin-sso-adapters/bankid-sweden |
...
| Note | ||
|---|---|---|
| ||
Although the application is currently deployed to the same node as Ubisecure SSO, it is suggested to secure the application using HTTPS in order to avoid leaking of sensitive information. This is especially suggested step that allows moving adapters to different servers than Ubisecure SSO. You can refer to Spring Boot Server SSL configuration instructions for more details. |
Application configuration properties
The following configuration properties can be set using the configuration prefix:
...
In order to secure the application from unknown clientsunauthorized clients, client authentication is based on OpenID Connect Core chapter 9, Client authentication. Both, the /bc-authorize and /token endpoints are secured. Currently, only private_key_jwt method is supported.
...
| Property | Type | Required | Default | Description |
|---|---|---|---|---|
trust-store.path | string | yes | The path to the key store where client public key certificate entries reside | |
trust-store.type | string | no | PKCS12 | The type of the client key store |
trust-store.password | string | yes | The password of the key store | |
clients | object array | yes | An array of client objects. Each client having its own entry | |
clients[n].id | string | yes | The client_id of the OpenID Connect client | |
clients[n].key-aliases | string array | yes | The aliases of client specific public key certificates stored in the key store denoted by ubisecure.sso.oidc.trust-store. If the client defines the kid JWT header, that is expected to be found in the key store. If the client is not setting kid JWK header, then each alias in this configuration is used to test for a matching key. |
| Info | ||
|---|---|---|
| ||
As of Ubisecure SSO 8.4.1 the |
Example configuration using external directory
As documented in Spring Boot External Configuration guide, one easy way to configure the application is to store a file in a directory named config which is located in the same directory with the application executable. So, as an example one could have a following structure:
...
| Code Block |
|---|
ubisecure:
sso:
oidc:
trust-store:
path: 'file:certs/client-trust-store'
password: 'secret'
clients:
- id: 'ubisecure-sso'
key-aliases:
- 'ubisecure-sso-auth-keyWtrEl8hop6_inC1OK6oTgskR668'
bankid:
sweden:
id-token:
issuer: 'https://sso-bankid.example.com'
signing-key-alias: 'id-token-signing-key'
signing-key-password: 'secret'
key-store:
path: 'file:certs/bankid-cacerts'
password: 'secret'
authentication-key:
alias: 'bankid-auth-key'
password: 'secret'
server-certificate:
alias: 'bankid-server-certificate' |
...
| Endpoint | Secured | Description |
|---|---|---|
/oidc/bc-authorize | yes | OpenID Connect CIBA backchannel authentication endpoint |
/oidc/token | yes | OpenID Connect token endpoint with additional CIBA parameters |
/oidc/.well-known/openid-configuration | no | OpenID Provider configuration metadata endpoint |
/oidc/jwks | no | Exposes JWKs provided by the service |
/v2/api-docs | no | Swagger 2.0 schema of the API |
/swagger-ui.html | no | Swagger UI to explore the API |
/actuator/health | no | For health checks. This only checks that the application is up and running. No external requests are made. Health check of the BankID provider is not included |
/actuator/info | no | For application version information |
...
Assuming that the application is deployed to localhost for Ubisecure SSO to access, the endpoints can be accessed as follows:
| Endpoint | Description |
|---|---|
http(s)://localhost:<port>/oidc/.well-known/openid-configuration | OpenID Connect Provider metadata |
http(s)://localhost:<port>/oidc/jwks | ID Token signing keys and issuer metadata |
...