Security¶
HTTPS¶
To switch IDLive Face Server to use HTTPS set the SERVER_SSL_ENABLED
environment variable to true
. This will change the default port from 8080
to 8443
:
docker run \
--env SERVER_SSL_ENABLED=true \
-p 8443:8443 \
...
By default the Server uses a self-signed certificate. You can change it by mapping the required certificate as a volume and providing the path to it inside the container via the SERVER_SSL_KEY_STORE
environment variable:
docker run \
--env SERVER_SSL_ENABLED=true \
--env SERVER_SSL_KEY_STORE=/tls/bundle.pem \
--volume /etc/idliveface/bundle.pem:/tls/bundle.pem \
...
The pem file should contain both a certificate and a private key. If you have separate files you can put paths to them in the config:
source.key=/tls/fullchain.key
source.cert=/tls/privkey.pem
And use the config by setting the SERVER_SSL_KEY_STORE_TYPE
environment variable to PEMCFG.MOD
:
docker run \
--env SERVER_SSL_ENABLED=true \
--env SERVER_SSL_KEY_STORE=/tls/config.properties \
--env SERVER_SSL_KEY_STORE_TYPE=PEMCFG.MOD \
--volume /etc/idliveface/tls:/tls \
...
JWT ¶
IDLive Face Server supports JWT-based authentication. To enable it set the IDFACE_SERVER_AUTHENTICATION
environment variable to jwt
and specify the configuration endpoint of the authorization server:
docker run \
--env IDFACE_SERVER_AUTHENTICATION=jwt \
--env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=https://example.com/realms/test \
...
If your authorization server doesn't support configuration endpoints, the JWK Set endpoint can be specified instead:
docker run \
--env IDFACE_SERVER_AUTHENTICATION=jwt \
--env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=https://example.com/realms/test/protocol/openid-connect/certs \
...
Additionally you can specify the audiences (the aud
claim) that the JWT should contain:
docker run \
--env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_AUDIENCES=idliveface \
...
Note that /api_version
endpoint never requires authentication.