Skip to main content

Authentication Service

Introduction

Service to authenticate user and validate certificate against OCSP. Supported authentication means:

  • EE: Mobile-ID, Smart-ID, ID card authentication cert OCSP validation.
  • LV: eParaksts mobile (eID, Mobile by redirect to LVRTC auth site), ID card authentication certificate validation using SK ID Solution ocsp proxy service (CRL), Smart-ID.
  • LT: Mobile-ID, ID card authentication certificate validation using SK ID Solution ocsp proxy service (CRL), Smart-ID.

Go To Authentication Service API Doc

Installation guide

dmss-authentication-service is distributed as a Docker image and is available to download from the official DockerHub TrustLynx registry. dmss-authentication-service a spring boot application that is using openjdk:11 as a base image.

To run dmss-authentication-service docker please use the following example:

docker run \
 --name dmss-authentication-service \
 --publish 8089:8089 \
 --volume ./resources/application.yml:/appconf/application.yml \
 --volume ./resources/digidoc4j-custom.yml:/appconf/digidoc4j-custom.yml \
 --volume ./resources/mobid.jks:/etc/mobid.jks \
 --volume ./resources/keystore.jks:/etc/keystore.jks \
 --volume ./resources/ssl_tsl_truststore.p12:/etc/ssl_tsl_truststore.p12 \
 --volume ./resources/trusted_certificates_test.jks:/etc/trusted_certificates_test.jks \
 --env SPRING_PROFILES_ACTIVE="dev" \
 --env SPRING_CONFIG_LOCATION=/appconf/application.yml \
 digitalmindss/dmss-authentication-service

Exposed Ports

By default, Authentication Service exposes one port for HTTP connection.

  • Port 8089 - is a default HTTP port of Authentication Service.

Docker Volumes

  1. /appconf/application.yml - archive authentication service configuration file
  2. /appconf/digidoc4j-custom.yml - archive digitally signing documents library configuration file
  3. /etc/mobid.jks - mobid Java Keystore file (JKS) for Mobile-ID certificates
  4. /etc/keystore.jks - keystore Java Keystore file (JKS) for DigiDoc4j certificates
  5. /etc/ssl_tsl_truststore.p12 - ssl_tsl_truststore digital certificate file
  6. /etc/trusted_certificates_test.jks - trusted_certificates_test Java Keystore file (JKS) needed for DEMO environment only

Environment variables

In addition, dmss-authentication-service provided the following ENV variables:

  1. SPRING_PROFILES_ACTIVE - set the active Spring profiles.
  2. SPRING_CONFIG_LOCATION - is the file to load (e.g. a classpath resource or a URL).
        env:
        - name: SPRING_PROFILES_ACTIVE
          value: "dev"
        - name: SPRING_CONFIG_LOCATION
          value: /appconf/application.yml

Configure Default port

By default, the embedded server starts on port 8089.

If you need change default port, then add to application.yml file new section:

server:
 port:

Configure DigiDoc4j

more info https://github.com/open-eid/digidoc4j

Available settings:

By default, set values:

  • mode: PROD
  • file: classpath:digidoc4j-custom.yaml
  • preferAiaOcsp: true

If you need change default DigiDoc4j settings, then add to application.yml file new section:

digidoc4j:
  configuration:
    mode:
    file:
    preferAiaOcsp:

Configure Hazelcast

Available settings:

  • expireInminutes: Session data expire time in minutes
  • members: Members list
  • port: Current hazelcast node port
  • useMulticastConfig: Multicast auto-discovery mechanism enabled or not
  • useTcpIpConfig: use tcp/ip addressing
  • kubernetes.enabled: Hazelcast kubernetes configuration
  • kubernetes.service-dns: Hazelcast kubernetes configuration

By default, set values:

  • expireInminutes: 10
  • members: localhost:5776
  • port: 5776
  • useMulticastConfig: false
  • useTcpIpConfig: true
  • kubernetes.enabled: false
  • kubernetes.service-dns: dmss-authentication-headless.default.svc.cluster.local

If you need change default Hazelcast settings, then add to application.yml file new section:

hazelcast:
  configuration:
    expireInminutes:
    members:
    port:
    useMulticastConfig:
    useTcpIpConfig:
    kubernetes:
      enabled:
      service-dns:

Configure Smart-ID

Available settings:

  • hostUrl: Smart-ID Service url
  • relyingPartyUUID: Smart-ID customer unique party uid provided by SK or DM
  • relyingPartyName: Smart-ID customer party name have to be registered in SK
  • delay: Smart-ID app open delay, needed for see control code on mobile application usage
  • trustedCertificates: Smart-ID trusted certificates

By default, set values:

  • hostUrl: https://sid.demo.sk.ee/smart-id-rp/v2/
  • relyingPartyUUID: 00000000-0000-0000-0000-000000000000
  • relyingPartyName: DEMO
  • delay: 0
  • trustedCertificates: blank string

If you need change default Smart-ID settings, then add to application.yml file new section:

smartId:
  hostUrl:
  relyingPartyUUID:
  relyingPartyName:
  delay:
  trustedCertificates:

Configure Mobile-ID

Available settings:

  • relyingPartyName: Mobile-ID customer party name have to be registered in SK
  • hostUrl: Mobile-ID service URL, production url https://mid.sk.ee/mid-api
  • relyingPartyUUID: Mobile-ID customer unique party uid provided by SK or DM
  • displayText: Default display text in mobile on PIN request
  • defaultCountry: Default Mobile-ID account country, override by authentication request
  • defaultLanguage: Default Mobile-ID language, override by authentication request

By default, set values:

  • relyingPartyName: DEMO
  • hostUrl: https://tsp.demo.sk.ee/mid-api
  • relyingPartyUUID: 00000000-0000-0000-0000-000000000000
  • displayText: TEST Allkirjasta dokument?
  • defaultCountry: EE
  • defaultLanguage: ENG

If you need change default Mobile-ID settings, then add to application.yml file new section:

mobileId:
  relyingPartyName:
  hostUrl:
  relyingPartyUUID:
  displayText:
  defaultCountry:
  defaultLanguage:

Configure LVRTC ePM

info https://wiki.eparaksts.lv/display/SP/%28ENG%29+Integration+platform

Available settings:

  • authUri: OAuth uri
  • resourcesUri: resources address
  • clientId: Client ID from LVRTC contract
  • clientSecret: Client Secret from LVRTC contract
  • redirectUri: Redirect URI for internal proxy to interact DMSS authentication api
  • acrValues: Interaction parameter for:
    • mobile auth: urn:eparaksts:authentication:flow:mobileid
    • idcard auth: urn:eparaksts:authentication:flow:sc_plugin
  • scope: Scope for authentication data:
    • urn:lvrtc:fpeil:aa – For electronic identification;
    • urn:lvrtc:fpeil:aa:age – For electronic identification with age parameter
    • (Restricted access, contact LVRTC for more information.)
  • locale: UI Language, values lv – Latvian language; en – English language; ru – Russian language;

By default, set values:

  • authUri: https://eidas.eparaksts.lv/trustedx-authserver/oauth/lvrtc-eips-as
  • resourcesUri: https://eidas.eparaksts.lv/trustedx-resources/openid/v1/users/me
  • clientId: digimind
  • clientSecret: MbK4X6drcyKrJy4Q
  • redirectUri: HTTP://AUTH_SERVICE_HOST/signing/lvrtc/signature
  • acrValues: urn:eparaksts:authentication:flow:mobileid
  • scope: urn:lvrtc:fpeil:aa
  • locale: lv

If you need change default LVRTC ePM settings, then add to application.yml file new section:

lvrtc:
  authUri:
  resourcesUri:
  clientId:
  clientSecret:
  redirectUri:
  acrValues:
  scope:
  locale:

Configure EVROTRUST

Available settings:

  • hostUrl: Evrotrust Endpoint
  • clientVendorNumber: provided by Evrotrust after agreement signing
  • clientApiKey: provided by Evrotrust after agreement signing
  • documentName: the name of the document that the client will see in the mobile application when authorizing
  • delay: authorization status query interval, we send request to Evrtotrust mobile app and after every X seconds sending request about auth. status
  • ignoreValidationError: workaround params, to ignore signature validation error by bad CA certificate
  • keystore: SSL Private/PublicKey pair store params, using to Encrypt/Decrypt Evrotrust message

By default, set values:

  • hostUrl: https://v.evrotrust.com/vendor/
  • clientVendorNumber: secret
  • clientApiKey: secret
  • documentName: Authorization
  • delay: 3000
  • ignoreValidationError: false
  • keystore:
    • file: classpath:evrotrust.jks
    • password: secret

If you need change default EVROTRUST settings, then add to application.yml file new section:

evrotrust:
  hostUrl:
  clientVendorNumber:
  clientApiKey:
  documentName:
  delay:
  ignoreValidationError:
  keystore:
    file:
    password:

Document Changelog

VersionChangesDateChanged By
v1.0.0Initial version of User Manual22.04.2022Alexey Kodin