Versions Compared

Old Version 2

changes.mady.by.user ubisebastian

Saved on

compared with

New Version Current

changes.mady.by.user troinine-ubi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.5

Table of Contents

...

Note
titleSecuring HTTP connections

Although the application is currently deployed to the same node as Ubisecure SSO, it is suggested to secure the application using HTTPS in order to avoid leaking of sensitive information. This is especially suggested step that allows moving adapters to different servers than Ubisecure SSO. You can refer to Spring Boot Server SSL configuration instructions for more details.

Application configuration properties

The following configuration properties can be set using the configuration prefix:

...

In order to secure the application from unauthorized clientsunauthorized clients, client authentication is based on OpenID Connect Core chapter 9, Client authentication. Both, the /bc-authorize and /token endpoints are secured. Currently, only private_key_jwt method is supported.

...

PropertyTypeRequiredDefaultDescription
trust-store.pathstringyes
The path to the key store where client public key certificate entries reside
trust-store.typestringnoPKCS12The type of the client key store
trust-store.passwordstringyes
The password of the key store
clientsobject arrayyes
An array of client objects. Each client having its own entry
clients[n].idstringyes
The client_id of the OpenID Connect client
clients[n].key-aliasesstring arrayyes
The aliases of client specific public key certificates stored in the key store denoted by ubisecure.sso.oidc.trust-store. If the client defines the kid JWT header, that is expected to be found in the key store. If the client is not setting kid JWK header, then each alias in this configuration is used to test for a matching key.
Info
titlekey-aliases for Ubisecure SSO

As of Ubisecure SSO 8.4.1 the clients[n].key-aliases entry has to match to the kid published by SSO in its JWKS metadata response. See OAuth 2.0 and OpenID Connect metadata - SSO for more details. 

Example configuration using external directory

As documented in Spring Boot External Configuration guide, one easy way to configure the application is to store a file in a directory named config which is located in the same directory with the application executable. So, as an example one could have a following structure:

...