Besides default authentication via user name and password, Bearer authentication is supported via an OpenID Connect ID token. After validation the archive operations are performed via the authenticated user.

In addition to mandatory checking of signature, issuer, and expiration date, application dependent claims can be defined for this validation.

Configuration

Configuring the identity provider

The public JSON Web Key Sets (JWKS) of the identity provider (IDP) used are required for checking the signature.

The key sets are determined via the JSON Discovery site of the IDP; they must be provided in a file with the name jwks.json in the configuration directory of the Embedded EBIS.

The jwks.json file must have the following format:

{
"keys": [
            {
                "kty": "RSA",
                "use": "sig",
                "kid": "5Of9P5F9gCCwCmF2BOHHxDDQ-Dk",
                "x5t": "5Of9P5F9gCCwCmF2BOHHxDDQ-Dk",
                "n": "2y6laZzXOPwGpMOhh0RcZq-Cng12HRv4EHT_Y6w5WOuNWZxzGFjF77qfTKtp_izFIGlr0IwJnbJsDqmTfAXdDMsfRXpWE6DZ6D0s49coNgu... ",
                "e": "AQAB",
                "x5c": [
                        "MIIDBTCCAe2gAwIBAgIQNmD9my1yu4hPh6X2ySAQMjANBgkqhkiG9w0..."
                        ],
                "issuer": "https://login.microsoftonline.com/17b60ed2-1278-4060-a67a-639d78a224ac/v2.0"
            },
            {
            ...
            }
        ]
}

With Microsoft, the issuer is part of the JSON Web Key Sets, whereas it is not with Google. Since the entry is essential for validation, in this case, you have to add it.

Configuring Bearer authentication

Bearer authentication configuration is performed via the configuration file bearer.properties in the configuration directory of Embedded EBIS.

The bearer.properties file must have the following format:

{
    "trusted-settings": {
        "username": "adaptive_user",
        "password": "{crypted}ghubDmM0Iz4="
    },
    "functional-settings": {
        "claim_username": "name",
        "family_name": "family_name",
        "given_name": "given_name"      
    },
    "claim-settings": {
        "claims": [
            "aud"
        ],
        "aud": [
            "3daf1726-0dd7-4a15-98c8-e212a5d0fde1","89af029a-e9e6-4e67-97f1-bf99d6508492"
        ]   
    }
}

The configuration file is composed of three areas:

The trusted-settings area
An archive user must be entered here who can perform technical logon to the archive system. For that user, the general property Foreign system account must be enabled.

You need to enter the user password in plain text for configuration. It will be automatically encrypted when first used by the Content Web Service.
The functional-settings area
This is used to configure the claims of the ID token from which the name of the external user is determined.
The claim_username entry must be defined; it refers to the user name within the ID token. The family_name and given_name entries are optional entries; they serve creating the user's display name.
If family_name is not defined, the user name will be used as the display name, and a possibly configured value for given_name will be ignored.
The claim-settings area
In the claim-settings area, you define the claims to be checked in addition to the issuer claim.
The claims to be checked are registered in the claims entry. For each name, a non-blank list of available values with the name as the key must be entered.

Configuration mode

The configuration files jwks.json and bearer.properties are read once when starting the archive system.

For a configuration stage, the Configuration-Mode 1 in the HTTP header allows you to achieve that the files are read every time they are launched.

Error messages

List of available error message during operation:

Error message	Cause / Meaning
The authentication method 'Bearer' is not configured.	The JSON Web Key Set of the identity provider is not available. The jwks.json file is not located in the configuration file.
'Bearer' authentication method: Token validation has failed. (Invalid id token, invalid claim 'aud')	The claim contained in the ID token does not match any of the configured claims.
'Bearer' authentication method: Token validation has failed. (Invalid claim configuration, no values for claim '<X>')	The <X> claim is announced in the claims entry in the claim-settings area; however, a list of available values is not stored.
'Bearer' authentication method: The lifetime of the token has expired.	The ID token passed in has reached its expiration date.
'Bearer' authentication method: The user name cannot be determined from the ID token.	No value is defined for claim_username in the functional-settings area. The ID token does not contain the claim specified for claim_username.