Authentication
This section shows how to enable authentication using JWT-MS.
JWT Authentication for Account Aggregation Microservices with the release version 202007 and before, uses the JWT Authentication in the IRIS layer. Hence, follow JWT authentication using IRIS for configuring the deployment artefacts (web archives).
From 202010, JWT Authentication happens in the microservice layer using the environment variable configuration. The validation happens in-house and reduces any HTTP hop between IRF and Microservices.
JWT Authentication - Account Aggregation IRIS
Account Aggregation Microservice should be up and running on J2ee stack to enable the below JWT authentication. Please refer here for more information on MS deployment.
Account Aggregation IRF is available as a web archive (war) for the below stack:
- J2EE (ms-accountaggregate-j2ee-iris.war)
Configuration of JWT:
Set the claims that need to be extracted from the JWT payload and token validation parameters in spring-jwt-iris-authenticator.xml located in the \WEB-INF\classes\ path.
- Set the value issuer from JWT Token payload (Fabric), and public key in base 64 format in pkEncoded.
<beans:bean id="oidcProviderServer" class="com.temenos.security.oidc.common.OidcProviderServer"> <beans:property name="issuer" value="Nordea" /> <beans:property name="pkEncoded" value="TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2SjJoQ3pxZXMwUUxkbVJUcFVnSA0KZW9LR1l3QWN5ejZYcTF6cWVBMjdMZWQxbXF5dzZETnJ5enl0bWtCNGNEdUc0cldvQXRydVZiY3ZmUDhVdi9nbg0KVXdDQXg2dzhxb2E4czNqa0ljUFM3QWlwNEFXTkNJNTdaRk9KSU1aNmx3SHRhWEgxaEIvUElnYk54NjlIb3VkSw0KSUc2WDZRdlZlOUtYbWhlbytVbGZsakE1Mm4zWmY5QnlRKy9xQ2w3eXJwcENQYk5PUHFraHBNQ0ZtQ0VrMjQxTg0KWDdxRlZKZTg0M1YzbnJwcXdJejROaVh5cjc0bFVaYVRGNUs0VHNZdnUreDBWemthRnpWUWlpUEw5QmVCZGZDMw0KYlA4cGJZMFd6MFFGQk1DRUJQRERzWWdEczZXcXBWam5CcklWTmVJdGZWY2hjK2JwZFNnWVVZRUR3RGlVczdpQg0KOFFJREFRQUI=" /> <beans:property name="pkCertEncoded" value="" /> <beans:property name="pkCertFilePath" value="" /> <beans:property name="pkJwksUri" value="" /> <beans:property name="decryptingJwkEncoded" value="" /> <beans:property name="principalClaim" value="sub" /> </beans:bean> - Set the list of claims to be extracted from JWT as below, if required.
<beans:bean id="requiredFields" class="com.temenos.irf.web.security.jwt.parser.RequiredFieldsExtractor"> <beans:property name="claimsToExtract"> <beans:map> <beans:entry key="" value="" /> </beans:map> </beans:property> </beans:bean>
JWT Authentication - Account Aggregation Microservice Framework
JWT signature is used to verify that the token is signed by the sender and not altered in any way.
The signature is created using the Header and Payload segments, a signing algorithm, and a secret or public key.
To enable JWT Authorization, ms.security.tokencheck.enabled should be set as Y.
In addition, the following properties should also be set as environment variables:
| Property | Description |
|---|---|
| JWT_TOKEN_ISSUER | Identifies the issuer of the authentication token: JWT_TOKEN_PUBLIC_KEY |
| JWT_TOKEN_PUBLIC_KEY | Indicates Base64 encoded public key content that can be directly loaded as a public key certificate. |
| JWT_TOKEN_PRINCIPAL_CLAIM | Indicates the claim in which the user principal is provided. |
|
ID_TOKEN_SIGNED |
Enables the JWT signature validation along with the header and payload. |
Set the above mentioned JWT configuration properties as Environment Variables in api container in yml for K8, api properties for J2EE and install scripts for Azure and AWS.
Custom Claims
Apart from the above properties, one can set custom claims as shown below:
JWT_TOKEN_CUSTOM_CLAIMS : key1:val1,key2:val2
J2EE
In all the J2EE war deployment, navigate to the path(\ms-accountaggregation-package-j2ee.ear\xxxx.war\WEB-INF\classes\properties\) and configure the below JWT authentication in api.properties.
api.properties
ms.security.tokencheck.enabled=Y JWT_TOKEN_PRINCIPAL_CLAIM=FABRICUSER JWT_TOKEN_ISSUER=Fabric ID_TOKEN_SIGNED=false JWT_TOKEN_PUBLIC_KEY=TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI=
Custom Claims
Apart from the above properties, one can set custom claims as shown below:
JWT_TOKEN_CUSTOM_CLAIMS : key1:val1,key2:val2
Azure
Set the below mentioned JWT authentication properties as Environment Variables in the install scripts:
install.sh/ install.bat
ms_security_tokencheck_enabled="Y" JWT_TOKEN_PRINCIPAL_CLAIM="FABRICUSER" JWT_TOKEN_ISSUER="Fabric" ID_TOKEN_SIGNED="true" JWT_TOKEN_PUBLIC_KEY="TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI"
Custom Claims
Apart from the above properties, one can set custom claims as shown below:
JWT_TOKEN_CUSTOM_CLAIMS : key1:val1,key2:val2
AWS
Set the below mentioned JWT authentication properties as Environment Variables in the install scripts:
install-aws.sh
ms_security_tokencheck_enabled=Y JWT_TOKEN_PRINCIPAL_CLAIM=FABRICUSER JWT_TOKEN_ISSUER=Fabric ID_TOKEN_SIGNED="true" JWT_TOKEN_PUBLIC_KEY="TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI"
Custom Claims
Apart from the above properties, one can set custom claims as shown below:
JWT_TOKEN_CUSTOM_CLAIMS : key1:val1,key2:val2
K8
Set the below mentioned JWT authentication properties as Environment Variables in accountaggregation-api-config.yml:
accountaggregation-api-config.yml
ms_security_tokencheck_enabled:"N" JWT_TOKEN_PRINCIPAL_CLAIM:FABRICUSER JWT_TOKEN_ISSUER:Fabric ID_TOKEN_SIGNED:"true" JWT_TOKEN_PUBLIC_KEY:"TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI"
Custom Claims
Apart from the above properties, one can set custom claims as shown below:
JWT_TOKEN_CUSTOM_CLAIMS : key1:val1,key2:val2
In this topic