Introduction
Each application may consist of multiple clients. For example a online web shop might have a native iOS application, an Android APP, a web based version and an API for external suppliers. Each of those represent a client which can have different settings and different security settings. Be sure to identify your clients correctly and not to reuse the same client for multiple clients. It’s possible to use the same client in multiple parts of your software, but always keep in mind that this will affect your overall security structure as you loose the ability to change client secrets for a single part, authentication redirect URLs can not be restricted to the minimum and so on.
Parameters
General
Name | Datatype | Mandatory | Example | Description |
|---|---|---|---|---|
Token specification | Drop Down | ✅ | oidc | Choose any of the supported token specification Depending on your selection, the subsequent parameters might change. |
Client identificator | String | ✅ | webshop_android | Each client must be uniquely identified. Provide a value that you also must use in the clients configuration later on. Choose either something self explanatory or a random value if you wanna hide the purpose of the client as a security measurement. |
Name | String | ✅ | Android Webshop Application | Identifies your client in a readable way in the system |
Logout URI | URL | https://www.webshop.com/logout | If no logout URL will be provided by the client, the user will be redirected to this URL after a logout. | |
Redirect Uri (Regex) * | REGEX Pattern | ✅ | regex:^https:\/\/webshop\.ch$ | The client will provide an URL where the user will be redirected to after a successful authentication. It’s good practice to test those URLs against a pattern to ensure that the user can only be redirected to previously configured URLs. This will significantly increase the security of the system. Wildcards can be configured, but only do this when absolutely necessary. |
Scope | Multi Value | profile email | A list of scopes that the client can request. If the client requests a scope that is not part of this configuration, he will not be able to perform an authentication. Be careful to only allow the scopes that are really necessary for the application to work with. | |
Default level of authentication entry | Drop Down | ✅ | Default | Select a default level of authentication entry that will be used to determinate the authentication flow for the user. |
Token
Name | Datatype | Mandatory | Example | Description |
|---|---|---|---|---|
Identity Token Life Time | Seconds | ✅ | 300 | Defines the lifetime of the identity token that will be issues for a user. |
Access token life time | Seconds | ✅ | 3600 | Defines the lifetime of that access token that will be issued for a user and a specific client. |
Authorization code life time | Seconds | ✅ | 300 | Defines the lifetime of the authorization code that will be used in some authentication processes. Less is more secure! |
Refresh token expiration type | Drop Down | ✅ | Absolute |
|
Sliding refresh token life time | Seconds | ✅ | 1296000 | Sliding lifetime of a refresh token in seconds. |
Absolute refresh token life time | Seconds | ✅ | 2592000 | Maximum lifetime of a refresh token in seconds |
Always include user claims in id token | Checkbox | ✅ | false | When both tokens, the id and the access token, are requested, this defines if the user claims should be included in the id token or not. If set to false, the client must get the info by using the user info endpoint. |
Update access token claims on refresh | Checkbox | ✅ | true | Defines whether or not the access token should be refreshed when a refresh token is requested |
Include JSON web tokens | Checkbox | ✅ | true | Specifies whether JWT access tokens should have an embedded unique ID (via the jti claim). |
Refresh token usage type | Drop Down | ✅ | OneTime |
|
Access token type | Drop Down | ✅ | JWT | Specifies whether the access token is a reference token or a self contained JWT token |
Authentication
Name | Datatype | Mandatory | Example | Description |
|---|---|---|---|---|
Require Consent | Checkbox | ✅ | false | Defines whether or not the user needs to give consent when accessing this client. |
Allow remember me | Checkbox | ✅ | false | Whether or not the user is presented with the option to select “remember me” which will cause the persistence of a cookie in the clients browser for any subsequent logins. |
Enable local authentication | Checkbox | ✅ | true | Defines if local logins are allowed. If set to false, only external logins are available to the user. |
URI | string | https://www.coreone.ch | The url of the client / application. | |
Email verification redirect uri | REGEX Pattern | regex:^https:\/\/webshop\.ch$ | If any external systems are using urls to verify the mail address of authentication users, the provided redirect uri in the link will be tested against the configured pattern. Wildcards can be configured, but only do this when absolutely necessary. | |
Post logout redirect URI's | REGEX Pattern | regex:^https:\/\/webshop\.ch$ | The client will provide an URL where the user will be logged out. It’s good practice to test those URLs against a pattern to ensure that the user can only be redirected to previously configured URLs. This will significantly increase the security of the system. Wildcards can be configured, but only do this when absolutely necessary. | |
Identity provider restrictions | REGEX Pattern | regex:^https:\/\/swissid\.ch$ | Defines a list of allowed external identity providers that are allowed. | |
Required Multi-Factor Authentication | Checkbox | ✅ | true | Whether or not a MFA authentication is required for the client |
Allow self-registration | Checkbox | ✅ | true | Whether or not a self registration is allowed for this client or not. |
Activation disabled | Checkbox | ✅ | true | If the activation process is enabled in the system, you can disable it for a specific client. |
Show in self-service | Checkbox | ✅ | true | Whether or not the client should be listed in the user self-service portal. |
OpenID Connect
Those options are only available if the token specification oidc was selected.
Name | Datatype | Mandatory | Example | Description |
|---|---|---|---|---|
Allowed Cross-Origin Resource Sharing origins | string | http://www.externalorigin.com | A collection of sources that will be used in the CORS policy. | |
Require client secret | Checkbox | ✅ | true | Whether or not the client needs a secret to request a token or not. |
Require PKCE | Checkbox | ✅ | true | Whether clients using an authorization code based grant type must send a proof key. |
Allow plain text PKCE | Checkbox | ✅ | false | Whether clients using PKCE can use a plain text code challenge. |
Allow access token via browser | Checkbox | ✅ | false | Whether this client is allowed to receive access tokens via the browser. |
Allow offline access | Checkbox | ✅ | false | Specifies whether this client can request refresh tokens (be requesting the |
Flow | Multi Select | ✅ | authorization code | One of the following grant types according to the OIDC and OAuth 2 specification
|
Secret | Password | 🔑 * * * * * * * | The secret that will be shared with the client. |
Relying party
Those options are only available if the token specification ws-fedwas selected.
Name | Datatype | Mandatory | Example | Description |
|---|---|---|---|---|
Signature algorithm | Drop Down | ✅ | Sha256 | Any signature algorithm that is installed on the server |
Digest algorithm | Drop Down | ✅ | Sha256 | Any digest algorithm that is installed on the servers |
Saml name identfier format | Drop Down | ✅ | Email Adress | The format of the saml name identifier format |
Token type | Drop Down | ✅ | Saml 2.0 | The format of the token. Either |
Service
Those options are only available if the token specification saml2pwas selected.
Name | Datatype | Mandatory | Example | Description |
|---|---|---|---|---|
Require Saml Request Destination | Checkbox | ✅ | true | |
Sign assertions | Checkbox | ✅ | true | Defines if our saml response is signed with the configured certificate |
Signing certificate type | Drop Down | Only when sign assertions is checked | Windows store | The format of the certificate. It can either be hosted in the |
Signing certificate | Certificate | Only when sign assertions is checked | MyCert | See above. |
Encrypt assertions | Checkbox | ✅ | true | Defines if our saml response is encrypted with the configured certificate |
Encryption certificate type | Drop Down | Only when sign assertions is checked | The format of the certificate. It can either be hosted in the | |
Encryption certificate | Certificate | Only when sign assertions is checked | See above. |