Skip to main content
Version: 1.17

Additional authentication properties

To secure communications and manage access permissions, the Access Decision Service (ADS) offers a mechanism for authenticating with the Axiomatics Services Manager (ASM) or any other authorization server. This authentication process involves sending client credentials to request a domain configuration file from an authorization server.

Authentication using an authorization server

To configure ADS to use an authorization server for authentication, you must add the property authHttpClientConfiguration to your deployment.yaml file and set the following nested properties:

PropertiesDescription
authHttpClientConfigurationDetermines that authentication will use an authorization server.
├─clientIdA string that specifies the client's name, as set up in the authorization server, specifically the ADS instance name.
├─clientSecret A string that specifies the generated secret, linked to the client. It is generated by the authorization server once the clientId is set up.
├─tokenUriThe specific endpoint (URL) on the authorization server from which ADS can request authentication tokens.
└─timeoutSpecifies the maximum time, in milliseconds, a connection can remain idle once established. The recommended starting value is 5000 (5 seconds), while the default is 500.
note

Before adding these properties to the deployment configuration file, ensure they are properly set up in the authorization server.

Important

Axiomatics recommends using environmental variables to protect sensitive information, such as clientSecret. This approach minimizes the risk of exposing critical data in configuration files.

authHttpClientConfiguration:
clientId: ${AUTH_SERVER_CLIENT_ID}
clientSecret: ${AUTH_SERVER_CLIENT_SECRET}
tokenUri: ${AUTH_SERVER_TOKEN_URI}
timeout: 5 seconds

Authorization server configuration using environment variables

TLS options

To enhance the security of your ADS configuration when communicating with any authorization server, you can incorporate Transport Layer Security (TLS).

ADS can be configured with either basic TLS with KeyStore for client authentication or TLS with client certificates.

For basic TLS encryption without client certificate authentication, you need to configure the following properties in the deployment.yaml:

PropertiesDescription
tlsDetermines that TLS encryption will be used for authentication purposes.
├─keyStorePathSpecifies the location of the keystore file that contains the client's private key and certificate. The path begins with file: indicating that it is a file system path, followed by the actual path to the keystore file (e.g., <path_to_file>/client.keystore). This keystore is used for storing the client's credentials, which are necessary for TLS with client certificate authentication.
├─keyStorePassword The password used to access the keystore. It's strongly recommended to change the default with a secure and unique password.
└─keyStoreTypeIndicates the format or type of the keystore.

Example:

authHttpClientConfiguration:
clientId: ${AUTH_SERVER_CLIENT_ID}
clientSecret: ${AUTH_SERVER_CLIENT_SECRET}
tokenUri: ${AUTH_SERVER_TOKEN_URI}
timeout: 5 seconds
tls:
keyStorePath: file:<path_to_file>/client.keystore
keyStorePassword: changeit
keyStoreType: pkcs12

Authorization server configuration sample using basic TLS

Authentication using HTTP client

You can configure ADS to securely authenticate by sending user credentials while requesting a domain configuration files from remote locations that support Basic Authentication.

To enable Basic Authentication for ADS using an HTTP client, you need to add the httpClientConfiguration property in your deployment.yaml file with the following sub-properties:

PropertiesDescription
httpClientConfigurationEnables ADS to use Basic Authentication using HTTP clients.
├─domainUserThe username required for authentication with the remote server.
├─domainPasswordThe password associated with the domainUser.
└─timeoutSpecifies the maximum idle time for a connection once established.
The recommended starting value is 5 seconds.
The default value is 500 milliseconds.
httpClientConfiguration:
domainUser: ${HTTPCLIENT_USER}
domainPassword: ${HTTPCLIENT_PASS}
timeout: 5 seconds

HTTP client configuration sample

Important

Axiomatics recommends using environmental variables to protect sensitive information, such as domainUser and domainPassword. This approach minimizes the risk of exposing critical data in configuration files.

info

If you want ADS to read the domain configuration from a file on the local file system, then the httpClientConfiguration property is not needed.

TLS options

To enhance the security of your ADS configuration when using HTTP client authentication, you can incorporate Transport Layer Security (TLS).

ADS can be configured with either basic TLS with KeyStore for client authentication or TLS with client certificates.

For basic TLS encryption without client certificate authentication, you need to configure the same TLS properties in the deployment.yaml as described in the respective TLS options section of Authentication using an authorization server.

Example:

deployment.yaml
httpClientConfiguration:
domainUser: ${HTTPCLIENT_USER}
domainPassword: ${HTTPCLIENT_PASS}
timeout: 5 seconds
tls:
keyStorePath: file:<path_to_file>/client.keystore
keyStorePassword: changeit
keyStoreType: pkcs12

HTTP client configuration sample using basic TLS

Authentication using an authorization server and HTTP client

When configuring ADS for secure communication and authentication with external services, it's possible to set up both authHttpClientConfiguration and httpClientConfiguration which are described individually above.

This approach enables ADS to seamlessly interact with various external services and endpoints, each possibly requiring different authentication methods.

Important

When authHttpClientConfiguration is used concurrently with hHttpClientConfiguration, then the latter should not include any domain-specific properties. This constraint is essential to avoid configuration conflicts and ensure clear authentication pathways for each service interaction.

Example:

authHttpClientConfiguration:
clientId: ${AUTH_SERVER_CLIENT_ID}
clientSecret: ${AUTH_SERVER_CLIENT_SECRET}
tokenUri: ${AUTH_SERVER_TOKEN_URI}
httpClientConfiguration:
timeout: 5 seconds
tls:
keyStorePath: file:<path_to_file>/client.keystore
keyStorePassword: changeit
keyStoreType: pkcs12

## domainUser and domainPassword should not be included in concurrent configurations.

Configuration sample using concurrent configuration

Authentication using self-signed certificates

You can configure ADS to accept self-signed certificates. To enable this option, add the trustSelfSignedCertificates property within the TLS configuration section of your deployment.yaml file and set it to true.

Important

This option is disabled by default. Axiomatics does not recommend using self-signed certificates for production environments

You can configure self-signed certificates for both authentication using an authorization server and HTTP as shown in the examples below:

For authorization server authentication (authHttpClientConfiguration):

authHttpClientConfiguration:
tls:
trustSelfSignedCertificates: true

This configuration enables ADS to trust self-signed certificates when authenticating with an authorization server, useful for internal testing or development scenarios.

For HTTP client authentication (httpClientConfiguration):

httpClientConfiguration:
tls:
trustSelfSignedCertificates: true

Similar to the authorization server configuration, this setting allows ADS to accept self-signed certificates for basic HTTP client communications.