Skip to content

Security

HTTPS

To switch IDLive Face Server to use HTTPS set the SERVER_SSL_ENABLED environment variable to true. This will change the default port from 8080 to 8443:

docker run \
    --env SERVER_SSL_ENABLED=true \
    -p 8443:8443 \
    ...

By default the Server uses a self-signed certificate. You can change it by mapping the required certificate as a volume and providing the path to it inside the container via the SERVER_SSL_KEY_STORE environment variable:

docker run \
    --env SERVER_SSL_ENABLED=true \
    --env SERVER_SSL_KEY_STORE=/tls/bundle.pem \
    --volume /etc/idliveface/bundle.pem:/tls/bundle.pem \
    ...

The pem file should contain both a certificate and a private key. If you have separate files you can put paths to them in the config:

config.properties
source.key=/tls/fullchain.key
source.cert=/tls/privkey.pem

And use the config by setting the SERVER_SSL_KEY_STORE_TYPE environment variable to PEMCFG.MOD:

docker run \
    --env SERVER_SSL_ENABLED=true \
    --env SERVER_SSL_KEY_STORE=/tls/config.properties \
    --env SERVER_SSL_KEY_STORE_TYPE=PEMCFG.MOD \
    --volume /etc/idliveface/tls:/tls \
    ...

JWT

IDLive Face Server supports JWT-based authentication. To enable it set the IDFACE_SERVER_AUTHENTICATION environment variable to jwt and specify the configuration endpoint of the authorization server:

docker run \
    --env IDFACE_SERVER_AUTHENTICATION=jwt \
    --env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=https://example.com/realms/test \
    ...

If your authorization server doesn't support configuration endpoints, the JWK Set endpoint can be specified instead:

docker run \
    --env IDFACE_SERVER_AUTHENTICATION=jwt \
    --env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=https://example.com/realms/test/protocol/openid-connect/certs \
    ...

Additionally you can specify the audiences (the aud claim) that the JWT should contain:

docker run \
    --env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_AUDIENCES=idliveface \
    ...

Note that /api_version endpoint never requires authentication.