Additional authentication properties
To secure communications and manage access permissions, the Access Decision Service (ADS) offers a mechanism for authenticating with the Axiomatics Services Manager (ASM) or any other authorization server. This authentication process involves sending client credentials to request a domain configuration file from an authorization server.
Authentication using an authorization server
To configure ADS to use an authorization server for authentication, you must add the property authHttpClientConfiguration to your deployment.yaml file and set the following nested properties:
| Properties | Description |
|---|---|
authHttpClientConfiguration | Determines that authentication will use an authorization server. |
├─clientId | A string that specifies the client's name, as set up in the authorization server, specifically the ADS instance name. |
├─clientSecret | A string that specifies the generated secret, linked to the client. It is generated by the authorization server once the clientId is set up. |
├─tokenUri | The specific endpoint (URL) on the authorization server from which ADS can request authentication tokens. |
└─timeout | Specifies the maximum time, in milliseconds, a connection can remain idle once established. The recommended starting value is 5000 (5 seconds), while the default is 500. |
Before adding these properties to the deployment configuration file, ensure they are properly set up in the authorization server.
Axiomatics recommends using environmental variables to protect sensitive information, such as clientSecret. This approach minimizes the risk of exposing critical data in configuration files.
authHttpClientConfiguration:
clientId: ${AUTH_SERVER_CLIENT_ID}
clientSecret: ${AUTH_SERVER_CLIENT_SECRET}
tokenUri: ${AUTH_SERVER_TOKEN_URI}
timeout: 5 seconds
Authorization server configuration using environment variables
TLS options
To enhance the security of your ADS configuration when communicating with any authorization server, you can incorporate Transport Layer Security (TLS).
ADS can be configured with either basic TLS with KeyStore for client authentication or TLS with client certificates.
- TLS
- TLS with client certificate
For basic TLS encryption without client certificate authentication, you need to configure the following properties in the deployment.yaml:
| Properties | Description |
|---|---|
tls | Determines that TLS encryption will be used for authentication purposes. |
├─keyStorePath | Specifies the location of the keystore file that contains the client's private key and certificate. The path begins with file: indicating that it is a file system path, followed by the actual path to the keystore file (e.g., <path_to_file>/client.keystore). This keystore is used for storing the client's credentials, which are necessary for TLS with client certificate authentication. |
├─keyStorePassword | The password used to access the keystore. It's strongly recommended to change the default with a secure and unique password. |
└─keyStoreType | Indicates the format or type of the keystore. |
Example:
authHttpClientConfiguration:
clientId: ${AUTH_SERVER_CLIENT_ID}
clientSecret: ${AUTH_SERVER_CLIENT_SECRET}
tokenUri: ${AUTH_SERVER_TOKEN_URI}
timeout: 5 seconds
tls:
keyStorePath: file:<path_to_file>/client.keystore
keyStorePassword: changeit
keyStoreType: pkcs12
Authorization server configuration sample using basic TLS
For TLS encryption with client certificate authentication and the addition of trustore properties you need to configure the following properties in the deployment.yaml:
| Properties | Description |
|---|---|
tls | Determines that TLS encryption will be used for authentication purposes. |
├─keyStorePath | Specifies the location of the keystore file that contains the client's private key and certificate. The path begins with file: indicating that it is a file system path, followed by the actual path to the keystore file (e.g., <path_to_file>/client.keystore). This keystore is used for storing the client's credentials, which are necessary for TLS with client certificate authentication. |
├─keyStorePassword | The password used to access the keystore. It's strongly recommended to change the default with a secure and unique password. |
├─keyStoreType | Indicates the format or type of the keystore. |
├─trustStorePath | Specifies the filesystem path to the truststore file. The path begins with file: indicating that it is a file system path, followed by the actual path to the truststore file. For example, file:<path_to_file>/client.truststore. |
├─trustStorePassword | The password used to access the truststore. Similar to the keystore password, this ensures the security of the truststore's contents. |
└─trustStoreType | Indicates the format or type of the truststore. |
Example:
authHttpClientConfiguration:
clientId: ${AUTH_SERVER_CLIENT_ID}
clientSecret: ${AUTH_SERVER_CLIENT_SECRET}
tokenUri: ${AUTH_SERVER_TOKEN_URI}
timeout: 5 seconds
tls:
keyStorePath: file:<path_to_file>/client.keystore
keyStorePassword: changeit
keyStoreType: pkcs12
trustStorePath: file:<path_to_file>/client.truststore
trustStorePassword: changeit
trustStoreType: pkcs12
Authorization server configuration using TLS with client certificate
Authentication using HTTP client
You can configure ADS to securely authenticate by sending user credentials while requesting a domain configuration files from remote locations that support Basic Authentication.
To enable Basic Authentication for ADS using an HTTP client, you need to add the httpClientConfiguration property in your deployment.yaml file with the following sub-properties:
| Properties | Description |
|---|---|
httpClientConfiguration | Enables ADS to use Basic Authentication using HTTP clients. |
├─domainUser | The username required for authentication with the remote server. |
├─domainPassword | The password associated with the domainUser. |
└─timeout | Specifies the maximum idle time for a connection once established. The recommended starting value is 5 seconds. The default value is 500 milliseconds. |
httpClientConfiguration:
domainUser: ${HTTPCLIENT_USER}
domainPassword: ${HTTPCLIENT_PASS}
timeout: 5 seconds
HTTP client configuration sample
Axiomatics recommends using environmental variables to protect sensitive information, such as domainUser and domainPassword. This approach minimizes the risk of exposing critical data in configuration files.
If you want ADS to read the domain configuration from a file on the local file system, then the httpClientConfiguration property is not needed.
TLS options
To enhance the security of your ADS configuration when using HTTP client authentication, you can incorporate Transport Layer Security (TLS).
ADS can be configured with either basic TLS with KeyStore for client authentication or TLS with client certificates.
- TLS
- TLS with client certificate
For basic TLS encryption without client certificate authentication, you need to configure the same TLS properties in the deployment.yaml as described in the respective TLS options section of Authentication using an authorization server.
Example:
httpClientConfiguration:
domainUser: ${HTTPCLIENT_USER}
domainPassword: ${HTTPCLIENT_PASS}
timeout: 5 seconds
tls:
keyStorePath: file:<path_to_file>/client.keystore
keyStorePassword: changeit
keyStoreType: pkcs12
HTTP client configuration sample using basic TLS
For TLS encryption with HTTP client authentication, you need to configure the same TLS properties in the deployment.yaml as described in the respective TLS options section of Authentication using an authorization server.
Example:
httpClientConfiguration:
domainUser: ${HTTPCLIENT_USER}
domainPassword: ${HTTPCLIENT_PASS}
timeout: 5 seconds
tls:
keyStorePath: file:<path_to_file>/client.keystore
keyStorePassword: changeit
keyStoreType: pkcs12
trustStorePath: file:<path_to_file>/client.truststore
trustStorePassword: changeit
trustStoreType: pkcs12
HTTP client configuration sample using TLS with client certificate
Authentication using an authorization server and HTTP client
When configuring ADS for secure communication and authentication with external services, it's possible to set up both authHttpClientConfiguration and httpClientConfiguration which are described individually above.
This approach enables ADS to seamlessly interact with various external services and endpoints, each possibly requiring different authentication methods.
When authHttpClientConfiguration is used concurrently with hHttpClientConfiguration, then the latter should not include any domain-specific properties. This constraint is essential to avoid configuration conflicts and ensure clear authentication pathways for each service interaction.
Example:
authHttpClientConfiguration:
clientId: ${AUTH_SERVER_CLIENT_ID}
clientSecret: ${AUTH_SERVER_CLIENT_SECRET}
tokenUri: ${AUTH_SERVER_TOKEN_URI}
httpClientConfiguration:
timeout: 5 seconds
tls:
keyStorePath: file:<path_to_file>/client.keystore
keyStorePassword: changeit
keyStoreType: pkcs12
## domainUser and domainPassword should not be included in concurrent configurations.
Configuration sample using concurrent configuration
Authentication using self-signed certificates
You can configure ADS to accept self-signed certificates. To enable this option, add the trustSelfSignedCertificates property within the TLS configuration section of your deployment.yaml file and set it to true.
This option is disabled by default. Axiomatics does not recommend using self-signed certificates for production environments
You can configure self-signed certificates for both authentication using an authorization server and HTTP as shown in the examples below:
For authorization server authentication (authHttpClientConfiguration):
authHttpClientConfiguration:
tls:
trustSelfSignedCertificates: true
This configuration enables ADS to trust self-signed certificates when authenticating with an authorization server, useful for internal testing or development scenarios.
For HTTP client authentication (httpClientConfiguration):
httpClientConfiguration:
tls:
trustSelfSignedCertificates: true
Similar to the authorization server configuration, this setting allows ADS to accept self-signed certificates for basic HTTP client communications.