Security¶
HTTPS¶
To switch IDLive Face Server to use HTTPS set the SERVER_SSL_ENABLED environment variable to true. This will change the default port from 8080 to 8443:
docker run \
--env SERVER_SSL_ENABLED=true \
-p 8443:8443 \
...
By default the Server uses a self-signed certificate. You can change it by mapping the required certificate as a volume and providing the path to it inside the container via the SERVER_SSL_KEY_STORE environment variable:
docker run \
--env SERVER_SSL_ENABLED=true \
--env SERVER_SSL_KEY_STORE=/tls/bundle.pem \
--volume /etc/idliveface/bundle.pem:/tls/bundle.pem \
...
The pem file should contain both a certificate and a private key. If you have separate files you can put paths to them in the config:
source.key=/tls/fullchain.key
source.cert=/tls/privkey.pem
And use the config by setting the SERVER_SSL_KEY_STORE_TYPE environment variable to PEMCFG.MOD:
docker run \
--env SERVER_SSL_ENABLED=true \
--env SERVER_SSL_KEY_STORE=/tls/config.properties \
--env SERVER_SSL_KEY_STORE_TYPE=PEMCFG.MOD \
--volume /etc/idliveface/tls:/tls \
...
JWT ¶
IDLive Face Server supports JWT-based authentication. To enable it set the IDFACE_SERVER_AUTHENTICATION environment variable to jwt and specify the configuration endpoint of the authorization server:
docker run \
--env IDFACE_SERVER_AUTHENTICATION=jwt \
--env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=https://example.com/realms/test \
...
If your authorization server doesn't support configuration endpoints, the JWK Set endpoint can be specified instead:
docker run \
--env IDFACE_SERVER_AUTHENTICATION=jwt \
--env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=https://example.com/realms/test/protocol/openid-connect/certs \
...
Additionally you can specify the audiences (the aud claim) that the JWT should contain:
docker run \
--env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_AUDIENCES=idliveface \
...
Note that /api_version endpoint never requires authentication.