diff --git a/docs/Basic-Definitions.md b/docs/Basic-Definitions.md index a3e2f03a5..833e9dd38 100644 --- a/docs/Basic-Definitions.md +++ b/docs/Basic-Definitions.md @@ -174,7 +174,7 @@ Each organization may use different user identifiers and authenticate against di Each step has an associated authentication method which performs either authentication or authorization during the operation. -See chapter [Configuring Next Step Definitions](./Configuring-Next-Step-Definitions.md) for more details. +See chapter [Configuring Next Step](Configuring-Next-Step.md) for more details. ### Authentication method choice @@ -196,7 +196,7 @@ Each operation consists of multiple steps. The next step of the operation is dec Before starting Next Step Server the next step definition has to be defined for all operation names. All steps are defined in database table `ns_step_definition`. -See chapter [Configuring Next Step Definitions](./Configuring-Next-Step-Definitions.md) for more details. +See chapter [Configuring Next Step](Configuring-Next-Step.md) for more details. ### Next step user preferences diff --git a/docs/Compilation,-Packaging-and-Deployment.md b/docs/Compilation,-Packaging-and-Deployment.md index feec8e066..004e20602 100644 --- a/docs/Compilation,-Packaging-and-Deployment.md +++ b/docs/Compilation,-Packaging-and-Deployment.md @@ -27,13 +27,15 @@ Web Flow can be built using [the parent pom.xml file](../pom.xml) of project [po Once you create a war package using steps above and set up database for Web Flow, you can deploy the war files to any Java web container, such as Tomcat or any Java EE server. You can remove the version from the war file for a nicer target URL in the container (e.g. rename powerauth-webflow-0.0.xx-SNAPSHOT.war to powerauth-webflow.war). After deployment, the client application frontend should be available at http[s]://host:port/powerauth-webflow-client. The following war files need to be deployed for a fully functional demo of Web Flow: -* powerauth-webflow.war - the main Web Flow application -* powerauth-nextstep.war - the Next Step service -* powerauth-data-adapter.war - a Data Adapter for communication with client backends -* powerauth-webflow-client.war - demo client application +* `powerauth-webflow.war` - the main Web Flow application +* `powerauth-nextstep.war` - the Next Step service +* `powerauth-data-adapter.war` - a Data Adapter for communication with client backends +* `powerauth-webflow-client.war` - demo client application The whole installation process is described in the [Web Flow Installation Manual](./Web-Flow-Installation-Manual.md). +In case you want to use the Third Party Provider engine functionality, deploy the `powerauth-tpp-engine.war` file, too. + ## Testing Web Flow You can test the web flow demo application by navigating to: http://localhost:8080/powerauth-webflow-client diff --git a/docs/Components.md b/docs/Components.md index a06cc80ba..cfc4bf57c 100644 --- a/docs/Components.md +++ b/docs/Components.md @@ -3,6 +3,7 @@ Web Flow consists of following compoments: - [Web Flow Server](#web-flow-server) - [Next Step Server](#next-step-server) +- [TPP Engine](#tpp-engine) - [Data Adapter](#data-adapter) - [Mobile Token](#mobile-token) - [PowerAuth Server](#powerauth-server) @@ -24,7 +25,7 @@ Web Flow Server consists of following parts: - This application is written in ReactJS and it communicates with the backend using [REST API](./Web-Flow-REST-API-Reference.md) and [Web Sockets](./Web-Socket-Communication-Protocol.md). - **Backend services** - REST services which respond to requests from the frontend application and communicate with other components. - The logic of resolving next step in the operation is handled by the Next Step server, so the Web Flow Backend offloads all such decisions to the Next Step server. Handling of operation updates is done by Next Step, too. - - Data Adapter is used to retrieve data from remote backends such as information about the user as well as trigger actions such as sending the authorization SMS with OTP. + - Data Adapter is used to retrieve data from remote backends such as information about the user and provides integration with any services required for completing the authentication flow. - Mobile Token interacts with Web Flow backend services to obtain information about current operation (retrieved from Next Step Server), signature verification (processed through PowerAuth Server) and push message delivery (requests sent to PowerAuth Push Server). ## Next Step Server @@ -41,29 +42,44 @@ Based on Next Step response either of the following actions happens in Web Flow: - the authentication process is completed with a redirect - an error is shown followed by a redirect with error details +The Next Step server provides also credential and OTP authentication services and services for managing user identities. + ## Data Adapter Data Adapter connects Web Flow to other backends and serves as an integration component. Data Adapter handles following use cases: -* Lookup user ID for given username. -* User authentication with remote backend based on provided credentials for form based authentication step. -* Retrieve user details for given user ID such as firstname and surname. -* Retrieve data for given user and decorate operation data (e.g. bank account names, balances, currencies, etc.). -* Notify backend about form data changes, e.g. when user fills in some data in Web Flow frontend. -* Notify backend about operation status changes: finished operation, failed operation and canceled operation. -* Send authorization SMS messages with OTP code -- message text is prepared and localized, however SMS message needs to be sent by the remote backend. -* Verify authorization SMS code specified by the user. -* Decide whether consent step should be displayed for given operation context. -* Prepare consent form text and options. -* Verify consent form options selected by the user. -* Save consent form options selected by the user. -* Verify authorization SMS code and user password. -* Execute an anti-fraud system (AFS) action and react on response from AFS. +- convert username to user ID in case such conversion is required +- perform user authentication against remote backend based on provided credentials +- retrieve user details for given user ID +- initialize an authentication method and set its parameters, e.g. client certificate configuration +- decorate form data for given user (e.g. add user bank account list) +- form data change notification +- create an implicit login operation automatically on authentication start +- map a complex operation into smaller operations and configure PowerAuth operation template +- operation status change notification +- generate OTP authorization code and send authorization SMS +- send authorization SMS with previously generated OTP authorization code +- verify OTP authorization code from SMS +- authenticate user using user ID, password and OTP authorization code +- verify a client TLS certificate +- initialize OAuth 2.0 consent form +- create OAuth 2.0 consent form +- validate OAuth 2.0 consent form options +- save OAuth 2.0 consent form options +- execute an anti-fraud system (AFS) action and react on response from AFS For more information see the [Web Flow customization project](https://github.com/wultra/powerauth-webflow-customization) +## TPP Engine + +Third Party Provider (TPP) Engine implements following functionality: +- third party provider registry +- storage of OAuth 2.0 consents + +TPP Engine is available as a separate application and its deployment is optional. + ## Mobile Token Mobile Token is a standalone mobile application which allows user to confirm authentication, or authorization operations, created on Next Step Server. Operations are typically accessed via REST API published by Web Flow Server. diff --git a/docs/Configuring-Next-Step-Definitions.md b/docs/Configuring-Next-Step.md similarity index 51% rename from docs/Configuring-Next-Step-Definitions.md rename to docs/Configuring-Next-Step.md index efe6d813b..f53676958 100644 --- a/docs/Configuring-Next-Step-Definitions.md +++ b/docs/Configuring-Next-Step.md @@ -1,8 +1,8 @@ -# Configuring NextStep Definitions +# Configuring Next Step During Web Flow deployment authentication methods and next step definitions need to be customized. The customization is currently done using SQL. -## Configuration of authentication methods +## Configuration of Authentication Methods Following authentication methods are available: - `INIT` - operation initialization, executed automatically when operation is started @@ -13,6 +13,7 @@ Following authentication methods are available: - `SMS_KEY` - user authorizes the operation using SMS message with OTP - `APPROVAL_SCA` - operation approval with either mobile token or SMS and password supporting strong customer authentication - `CONSENT` - OAuth 2.0 consent form with options to approve by the user +- `OTP_CODE` - a generic OTP code authentication method which may be delivered by other channel than SMS The following parameters can be configured: - `auth_method` - authentication method name @@ -45,9 +46,12 @@ VALUES ('SMS_KEY', 6, 0, NULL, NULL, 1, 5, 1, 0, 'method.smsKey'); INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) VALUES ('CONSENT', 7, 0, NULL, NULL, 1, 5, 1, 0, 'method.consent'); INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) -VALUES ('LOGIN_SCA', 8, FALSE, NULL, NULL, 1, 5, 1, 1, 'method.loginSca'); +VALUES ('LOGIN_SCA', 8, 0, NULL, NULL, 1, 5, 1, 1, 'method.loginSca'); INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) -VALUES ('APPROVAL_SCA', 9, FALSE, NULL, NULL, 1, 5, 1, 1, 'method.approvalSca'); +VALUES ('APPROVAL_SCA', 9, 0, NULL, NULL, 1, 5, 1, 1, 'method.approvalSca'); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('OTP_CODE', 10, 0, NULL, NULL, 1, 3, 1, 0, 'method.otpCode'); + ``` MySQL: @@ -70,9 +74,221 @@ INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_pr VALUES ('LOGIN_SCA', 8, FALSE, NULL, NULL, TRUE, 5, TRUE, TRUE, 'method.loginSca'); INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) VALUES ('APPROVAL_SCA', 9, FALSE, NULL, NULL, TRUE, 5, TRUE, TRUE, 'method.approvalSca'); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('OTP_CODE', 10, FALSE, NULL, NULL, TRUE, 3, TRUE, FALSE, 'method.otpCode'); +``` + +PostgreSQL: +```sql +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('INIT', 1, FALSE, NULL, NULL, FALSE, NULL, FALSE, FALSE, NULL); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('USER_ID_ASSIGN', 2, FALSE, NULL, NULL, FALSE, NULL, FALSE, FALSE, NULL); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('USERNAME_PASSWORD_AUTH', 3, FALSE, NULL, NULL, TRUE, 5, TRUE, FALSE, 'method.usernamePassword'); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('SHOW_OPERATION_DETAIL', 4, FALSE, NULL, NULL, FALSE, NULL, TRUE, FALSE, 'method.showOperationDetail'); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('POWERAUTH_TOKEN', 5, TRUE, 1, FALSE, TRUE, 5, TRUE, TRUE, 'method.powerauthToken'); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('SMS_KEY', 6, FALSE, NULL, NULL, TRUE, 5, TRUE, FALSE, 'method.smsKey'); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('CONSENT', 7, FALSE, NULL, NULL, TRUE, 5, TRUE, FALSE, 'method.consent'); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('LOGIN_SCA', 8, FALSE, NULL, NULL, TRUE, 5, TRUE, TRUE, 'method.loginSca'); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('APPROVAL_SCA', 9, FALSE, NULL, NULL, TRUE, 5, TRUE, TRUE, 'method.approvalSca'); +INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key) +VALUES ('OTP_CODE', 10, FALSE, NULL, NULL, TRUE, 3, TRUE, FALSE, 'method.otpCode'); +``` + +## Organization Configuration + +Next Step requires at least one organization configured. The default configuration is following: + +Oracle: +```sql +INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('DEFAULT', null, 1, 1); +``` + +MySQL: +```sql +INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('DEFAULT', null, TRUE, 1); +``` + +The default configuration assigns the `DEFAULT` organization to all operations. You can define multiple organizations to support +authentication for multiple segments which can have overlapping user IDs, e.g.: + +Oracle: +```sql +INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('RETAIL', 'organization.retail', 1, 1); +INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('SME', 'organization.sme', 0, 2); +``` + +MySQL: +```sql +INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('RETAIL', 'organization.retail', TRUE, 1); +INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('SME', 'organization.sme', FALSE, 2); +``` + +Such configuration defines two organizations `RETAIL` and `SME`. The user sees two tabs when authenticating with localized labels +based on keys `organization.retail` and `organization.sme`. The user can switch the organization against which the authentication is performed. +The `RETAIL` organization is the default one (it is preselected in the UI). The order of displayed organizations is defined as +`RETAIL`, `SME` using the last parameter. + +_Warning: In case you configure multiple organizations make sure the user ID used in PowerAuth Web Flow, PowerAuth Server and PowerAuth Push Server is unique across all organizations and it is consistent in all PowerAuth backends. You can achieve this requirement by assigning unique user IDs in different organizations during user authentication. Alternatively the uniqueness requirement can be achieved by adding a prefix to all user IDs based on the organization against which the user was authenticated (e.g. `RETAIL.12345678`)._ + +Each organization requires following configuration: +- `organization_id` - an identifier of the organization, such as `RETAIL` or `SME` +- `display_name_key` - internationalization key for the organization used in Web Flow when displaying organization name +- `is_default` - whether the organization is the default one, set this flag to `TRUE` only for one organization +- `order_numer` - order of the organization in the Web Flow UI, starting by 1 +- `default_credential_name` - default credential name is used by Web Flow when performing credential authentication using Next Step +- `default_credential_name` - default credential name is used by Web Flow when performing OTP authentication using Next Step + +```sql +INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number, default_credential_name, default_otp_name) VALUES ('RETAIL', 'organization.retail', TRUE, 1, 'RETAIL_CREDENTIAL', 'RETAIL_OTP'); +``` + +The organization can be created using REST API by calling the `POST /organization` endpoint. + +## Operation Configuration + +Operations need to be configured in table `ns_operation_config`. + +Following parameters are configured for each operation: +- `operation_name` - unique operation name which identifies the operation +- `template_version` - template version, see documentation for [Operation Data](./Operation-Data.md) + - currently used template version is `A` +- `template_id` - template identifier, see documentation for [Operation Data](./Operation-Data.md) + - for approval (payment) use `1` + - for login use `2` +- `mobile_token_enabled` - whether mobile token is enabled for this operation +- `mobile_token_mode` - configuration of mobile token factors, use only when `mobile_token_enabled` value is true + - for 1FA use: `{"type":"1FA"}` + - for 2FA use e.g.: `{"type":"2FA","variants":["possession_knowledge","possession_biometry"]}` +- `afs_enabled` - whether anti-fraud service integration is enabled for this operation +- `afs_config_id` - identifier of AFS configuration, use only when `afs_enabled` value is true + +Sample configuration: + +```sql +INSERT INTO ns_operation_config (operation_name, template_version, template_id, mobile_token_enabled, mobile_token_mode) VALUES ('login', 'A', 2, FALSE, '{"type":"2FA","variants":["possession_knowledge","possession_biometry"]}'); +``` + +The operation configuration can be created using REST API by calling the `POST /operation/config` endpoint. + +## Configuration of Next Step Applications + +At least one Next Step application must be configured. Each application requires following configuration: +- `application_id` - Next Step application identifier +- `name` - application name +- `description` - description of the application +- `status` - application status: `ACTIVE` or `REMOVED` +- `timestamp_created` - timestamp when application was created + +```sql +INSERT INTO ns_application (application_id, name, description, status, timestamp_created) values (1, 'APP', 'Sample application', 'ACTIVE', CURRENT_TIMESTAMP); +``` + +The application can be created using REST API by calling the `POST /application` endpoint. + +## Configuration of Next Step Credential Policies + +At least one Next Step credential policy must be configured in case credential authentication is performed. The configuration is not used when Data Adapter proxy is enabled, in this case the configuration record is prepared for potential future switch to Next Step identity once Data Adapter proxy is disabled. + +The credential policy requires following configuration: + +- `credential_policy_id` - credential policy identifier +- `name` - credential policy name +- `description` - description of the credential policy +- `status` - credential policy status: `ACTIVE` or `REMOVED` +- `username_length_min` - minimum length of the username, use `NULL` value for no limit +- `username_length_max` - maximum length of the username, use `NULL` value for no limit +- `username_allowed_pattern` - regular expression for checking the username pattern, use `NULL` value for no check +- `credential_length_min` - minimum length of the credential, use `NULL` value for no limit +- `credential_length_max` - maximum length of the credential, use `NULL` value for no limit +- `limit_soft` - soft limit for failed authentication attempts using credential (credential status `BLOCKED_TEMPORARY` when limit is exceeded), use `0` for no limit +- `limit_hard` - hard limit for failed authentication attempts using credential (credential status `BLOCKED_PERMANENT` when limit is exceeded), use `0` for no limit +- `check_history_count` - count of historical credential values which should be checked when changing the credential, use `0` for skipping the check +- `rotation_enabled` - whether credential rotation is enabled +- `rotation_days`- number of days for credential rotation, only specify when credential rotation is enabled +- `credential_temp_expiration` - expiration of `TEMPORARY` credentials in seconds +- `username_gen_algorithm` - name of algorithm used for generating username: `NO_USERNAME`, `RANDOM_DIGITS`, or `RANDOM_LETTERS` +- `username_gen_param` - parameters of the username generating algorithm: `length` (only applies to algorithms `RANDOM_DIGITS` and `RANDOM_LETTERS`) +- `credential_gen_algorithm` - name of algorithm used for generating credentials: `RANDOM_PASSWORD` or `RANDOM_PIN` +- `credential_gen_param` - parameters of the credential generating algorithm: `length`, `includeSmallLetters`, `smallLettersCount`, `includeCapitalLetters`, `capitalLettersCount`, `includeDigits`, `digitsCount`, `includeSpecialChars`, `specialCharsCount` +- `credential_val_param` - parameters of credential validation based on the [Passay library rules](https://www.passay.org): `includeWhitespaceRule`, `includeUsernameRule`, `includeAllowedCharacterRule`, `allowedChars`, `includeAllowedRegexRule`, `allowedRegex`, `includeIllegalCharacterRule`, `illegalChars`, `includeIllegalRegexRule`, `illegalRegex`, `includeCharacterRule`, `includeSmallLetters`, `smallLettersMin`, `includeCapitalLetters`, `capitalLettersMin`, `includeAlphabeticalLetters`, `alphabeticalLettersMin`, `includeDigits`, `digitsMin`, `includeSpecialChars`, `specialCharsMin` +- `timestamp_created` - timestamp when credential policy was created + +```sql +INSERT INTO ns_credential_policy (credential_policy_id, name, description, status, username_length_min, username_length_max, username_allowed_pattern, credential_length_min, credential_length_max, limit_soft, limit_hard, check_history_count, rotation_enabled, username_gen_algorithm, username_gen_param, credential_gen_algorithm, credential_gen_param, credential_val_param, timestamp_created) values (1, 'CREDENTIAL_POLICY', 'Sample credential policy', 'ACTIVE', 8, 20, '[0-9]+', 8, 40, 3, 5, 3, 0, 'RANDOM_DIGITS', '{"length": 8}', 'RANDOM_PASSWORD', '{"length": 12, "includeSmallLetters": true, "smallLettersCount": 5, "includeCapitalLetters": true, "capitalLettersCount": 5, "includeDigits": true, "digitsCount": 1, "includeSpecialChars": true, "specialCharsCount": 1}', '{"includeWhitespaceRule": true, "includeUsernameRule": true, "includeAllowedCharacterRule": false, "allowedChars": "", "includeAllowedRegexRule": false, "allowedRegex": ".*", "includeIllegalCharacterRule": false, "illegalChars": "", "includeIllegalRegexRule": false, "illegalRegex": "", "includeCharacterRule": true, "includeSmallLetters": "true", "smallLettersMin": 1, "includeCapitalLetters": true, "capitalLettersMin": 1, "includeAlphabeticalLetters": true, "alphabeticalLettersMin": 2, "includeDigits": true, "digitsMin": 1, "includeSpecialChars": true, "specialCharsMin": 1}', CURRENT_TIMESTAMP); +``` + +The credential policy can be created using REST API by calling the `POST /credential/policy` endpoint. + +## Configuration of Next Step OTP Policies + +At least one Next Step OTP policy must be configured in case OTP authentication is performed. The configuration is not used when Data Adapter proxy is enabled, in this case the configuration record is prepared for potential future switch to Next Step identity once Data Adapter proxy is disabled. + +The credential policy requires following configuration: +- `otp_policy_id` - OTP policy identifier +- `name` - OTP policy name +- `description` - description of the OTP policy +- `status` - OTP policy status: `ACTIVE` or `REMOVED` +- `length` - length of the OTP authorization code +- `attempt_limit` - limit for failed authentication attempts using OTP (OTP status `BLOCKED` when limit is exceeded), use `0` for no limit +- `expiration_time` - expiration of OTP record +- `gen_algorithm` - name of algorithm used for generating OTP authorization code: `OTP_DATA_DIGEST` or `OTP_RANDOM_DIGIT_GROUPS` +- `gen_param` - parameters of the OTP authorization code generating algorithm: `groupSize` (only applies to algorithm `OTP_RANDOM_DIGIT_GROUPS`) +- `timestamp_created` - timestamp when OTP policy was created + +```sql +INSERT INTO ns_otp_policy (otp_policy_id, name, description, status, length, attempt_limit, expiration_time, gen_algorithm, gen_param, timestamp_created) values (1, 'OTP_POLICY', 'Sample OTP policy', 'ACTIVE', 8, 3, 300, 'OTP_DATA_DIGEST', '{}', CURRENT_TIMESTAMP); +``` + +The credential policy can be created using REST API by calling the `POST /credential/policy` endpoint. + +## Configuration of Next Step Credential Definitions + +At least one Next Step credential definition must be configured in case credential authentication is performed. The configuration is not used when Data Adapter proxy is enabled, in this case the configuration record is prepared for potential future switch to Next Step identity once Data Adapter proxy is disabled. + +The credential definition requires following configuration: +- `credential_definition_id` - credential definition identifier +- `name` - credential definition name +- `description` - description of the credential definition +- `application_id` - application identifier +- `organization_id` - organization identifier +- `credential_policy_id` - credential policy identifier +- `category` - credential category: `PASSWORD`, `PIN`, or `OTHER` +- `data_adapter_proxy_enabled` - whether credential verification requests should be proxied via Data Adapter +- `status` - credential definition status: `ACTIVE` or `REMOVED` +- `timestamp_created` - timestamp when credential definition was created + +```sql +INSERT INTO ns_credential_definition (credential_definition_id, name, description, application_id, organization_id, credential_policy_id, category, data_adapter_proxy_enabled, status, timestamp_created) values (1, 'RETAIL_CREDENTIAL', 'Sample credential definition for retail', 1, 'RETAIL', 1, 'PASSWORD', 1, 'ACTIVE', CURRENT_TIMESTAMP); +``` + +## Configuration of Next Step OTP Definitions + +At least one Next Step OTP definition must be configured in case OTP authentication is performed. The configuration is not used when Data Adapter proxy is enabled, in this case the configuration record is prepared for potential future switch to Next Step identity once Data Adapter proxy is disabled. + +The credential definition requires following configuration: +- `otp_definition_id` - OTP definition identifier +- `name` - OTP definition name +- `description` - description of the OTP definition +- `application_id` - application identifier +- `organization_id` - organization identifier +- `otp_policy_id` - OTP policy identifier +- `data_adapter_proxy_enabled` - whether OTP verification requests should be proxied via Data Adapter +- `status` - credential definition status: `ACTIVE` or `REMOVED` +- `timestamp_created` - timestamp when OTP definition was created + +```sql +INSERT INTO ns_otp_definition (otp_definition_id, name, description, application_id, otp_policy_id, data_adapter_proxy_enabled, status, timestamp_created) values (1, 'RETAIL_OTP', 'Sample OTP definition for retail', 1, 1, 1, 'ACTIVE', CURRENT_TIMESTAMP); ``` -## Configuration of next steps +## Configuration of Next Steps Following steps are required for next step definition: * Choose operation names, each operation should have a unique name @@ -104,17 +320,21 @@ VALUES (1, 'login', 'CREATE', NULL, NULL, 1, 'USER_ID_ASSIGN', 'CONTINUE'); INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) VALUES (2, 'login', 'CREATE', NULL, NULL, 2, 'USERNAME_PASSWORD_AUTH', 'CONTINUE'); +-- login - update operation - CANCELED -> FAILED +INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) +VALUES (3, 'login', 'UPDATE', 'INIT', 'CANCELED', 1, NULL, 'FAILED'); + -- login - update operation - CONFIRMED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (3, 'login', 'UPDATE', 'USER_ID_ASSIGN', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); +VALUES (4, 'login', 'UPDATE', 'USER_ID_ASSIGN', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (4, 'login', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); +VALUES (5, 'login', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); -- login - update operation - CANCELED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (5, 'login', 'UPDATE', 'USER_ID_ASSIGN', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (6, 'login', 'UPDATE', 'USER_ID_ASSIGN', 'CANCELED', 1, NULL, 'FAILED'); INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (6, 'login', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (7, 'login', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'CANCELED', 1, NULL, 'FAILED'); -- login - update operation - AUTH_METHOD_FAILED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) @@ -150,168 +370,200 @@ VALUES (17, 'authorize_payment', 'CREATE', NULL, NULL, 1, 'USER_ID_ASSIGN', 'CON INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) VALUES (18, 'authorize_payment', 'CREATE', NULL, NULL, 2, 'USERNAME_PASSWORD_AUTH', 'CONTINUE'); +-- authorize_payment - update operation - CANCELED -> FAILED +INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) +VALUES (19, 'authorize_payment', 'UPDATE', 'INIT', 'CANCELED', 1, NULL, 'FAILED'); + -- authorize_payment - update operation (login) - CONFIRMED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (19, 'authorize_payment', 'UPDATE', 'USER_ID_ASSIGN', 'CONFIRMED', 1, 'POWERAUTH_TOKEN', 'CONTINUE'); +VALUES (20, 'authorize_payment', 'UPDATE', 'USER_ID_ASSIGN', 'CONFIRMED', 1, 'POWERAUTH_TOKEN', 'CONTINUE'); INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (20, 'authorize_payment', 'UPDATE', 'USER_ID_ASSIGN', 'CONFIRMED', 2, 'SMS_KEY', 'CONTINUE'); +VALUES (21, 'authorize_payment', 'UPDATE', 'USER_ID_ASSIGN', 'CONFIRMED', 2, 'SMS_KEY', 'CONTINUE'); INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (21, 'authorize_payment', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'CONFIRMED', 1, 'POWERAUTH_TOKEN', 'CONTINUE'); +VALUES (22, 'authorize_payment', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'CONFIRMED', 1, 'POWERAUTH_TOKEN', 'CONTINUE'); INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (22, 'authorize_payment', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'CONFIRMED', 2, 'SMS_KEY', 'CONTINUE'); +VALUES (23, 'authorize_payment', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'CONFIRMED', 2, 'SMS_KEY', 'CONTINUE'); -- authorize_payment - update operation (login) - CANCELED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (23, 'authorize_payment', 'UPDATE', 'USER_ID_ASSIGN', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (24, 'authorize_payment', 'UPDATE', 'USER_ID_ASSIGN', 'CANCELED', 1, NULL, 'FAILED'); INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (24, 'authorize_payment', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (25, 'authorize_payment', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'CANCELED', 1, NULL, 'FAILED'); -- authorize_payment - update operation (login) - AUTH_METHOD_FAILED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (25, 'authorize_payment', 'UPDATE', 'USER_ID_ASSIGN', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); +VALUES (26, 'authorize_payment', 'UPDATE', 'USER_ID_ASSIGN', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (26, 'authorize_payment', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); +VALUES (27, 'authorize_payment', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); -- authorize_payment - update operation (login) - AUTH_FAILED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (27, 'authorize_payment', 'UPDATE', 'USER_ID_ASSIGN', 'AUTH_FAILED', 1, 'USER_ID_ASSIGN', 'CONTINUE'); +VALUES (28, 'authorize_payment', 'UPDATE', 'USER_ID_ASSIGN', 'AUTH_FAILED', 1, 'USER_ID_ASSIGN', 'CONTINUE'); INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (28, 'authorize_payment', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'AUTH_FAILED', 1, 'USERNAME_PASSWORD_AUTH', 'CONTINUE'); +VALUES (29, 'authorize_payment', 'UPDATE', 'USERNAME_PASSWORD_AUTH', 'AUTH_FAILED', 1, 'USERNAME_PASSWORD_AUTH', 'CONTINUE'); -- authorize_payment - update operation (authorize using mobile token) - CONFIRMED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (29, 'authorize_payment', 'UPDATE', 'POWERAUTH_TOKEN', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); +VALUES (30, 'authorize_payment', 'UPDATE', 'POWERAUTH_TOKEN', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); -- authorize_payment - update operation (authorize using mobile token) - CANCELED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (30, 'authorize_payment', 'UPDATE', 'POWERAUTH_TOKEN', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (31, 'authorize_payment', 'UPDATE', 'POWERAUTH_TOKEN', 'CANCELED', 1, NULL, 'FAILED'); -- authorize_payment - update operation (authorize using mobile token) - AUTH_METHOD_FAILED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (31, 'authorize_payment', 'UPDATE', 'POWERAUTH_TOKEN', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); +VALUES (32, 'authorize_payment', 'UPDATE', 'POWERAUTH_TOKEN', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); -- authorize_payment - update operation (authorize using mobile token) - AUTH_FAILED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (32, 'authorize_payment', 'UPDATE', 'POWERAUTH_TOKEN', 'AUTH_FAILED', 1, 'POWERAUTH_TOKEN', 'CONTINUE'); +VALUES (33, 'authorize_payment', 'UPDATE', 'POWERAUTH_TOKEN', 'AUTH_FAILED', 1, 'POWERAUTH_TOKEN', 'CONTINUE'); -- authorize_payment - update operation (authorize using sms key) - CONFIRMED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (33, 'authorize_payment', 'UPDATE', 'SMS_KEY', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); +VALUES (34, 'authorize_payment', 'UPDATE', 'SMS_KEY', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); -- authorize_payment - update operation (authorize using sms key) - CANCELED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (34, 'authorize_payment', 'UPDATE', 'SMS_KEY', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (35, 'authorize_payment', 'UPDATE', 'SMS_KEY', 'CANCELED', 1, NULL, 'FAILED'); -- authorize_payment - update operation (authorize using sms key) - AUTH_METHOD_FAILED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (35, 'authorize_payment', 'UPDATE', 'SMS_KEY', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); +VALUES (36, 'authorize_payment', 'UPDATE', 'SMS_KEY', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); -- authorize_payment - update operation (authorize using sms key) - AUTH_FAILED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (36, 'authorize_payment', 'UPDATE', 'SMS_KEY', 'AUTH_FAILED', 1, 'SMS_KEY', 'CONTINUE'); +VALUES (37, 'authorize_payment', 'UPDATE', 'SMS_KEY', 'AUTH_FAILED', 1, 'SMS_KEY', 'CONTINUE'); -- authorize_payment - update operation (consent) - CONFIRMED -> DONE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (37, 'authorize_payment', 'UPDATE', 'CONSENT', 'CONFIRMED', 1, NULL, 'DONE'); +VALUES (38, 'authorize_payment', 'UPDATE', 'CONSENT', 'CONFIRMED', 1, NULL, 'DONE'); -- authorize_payment - update operation (consent) - CANCELED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (38, 'authorize_payment', 'UPDATE', 'CONSENT', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (39, 'authorize_payment', 'UPDATE', 'CONSENT', 'CANCELED', 1, NULL, 'FAILED'); -- authorize_payment - update operation (consent) - AUTH_METHOD_FAILED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (39, 'authorize_payment', 'UPDATE', 'CONSENT', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); +VALUES (40, 'authorize_payment', 'UPDATE', 'CONSENT', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); -- authorize_payment - update operation (consent) - AUTH_FAILED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (40, 'authorize_payment', 'UPDATE', 'CONSENT', 'AUTH_FAILED', 1, 'CONSENT', 'CONTINUE'); +VALUES (41, 'authorize_payment', 'UPDATE', 'CONSENT', 'AUTH_FAILED', 1, 'CONSENT', 'CONTINUE'); -- login_sca - init operation -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (41, 'login_sca', 'CREATE', NULL, NULL, 1, 'LOGIN_SCA', 'CONTINUE'); +VALUES (42, 'login_sca', 'CREATE', NULL, NULL, 1, 'LOGIN_SCA', 'CONTINUE'); + +-- login_sca - update operation - CANCELED -> FAILED +INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) +VALUES (43, 'login_sca', 'UPDATE', 'INIT', 'CANCELED', 1, 'INIT', 'FAILED'); -- login_sca - update operation (login) - CONFIRMED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (42, 'login_sca', 'UPDATE', 'LOGIN_SCA', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); +VALUES (44, 'login_sca', 'UPDATE', 'LOGIN_SCA', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); -- login_sca - update operation (login) - CANCELED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (43, 'login_sca', 'UPDATE', 'LOGIN_SCA', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (45, 'login_sca', 'UPDATE', 'LOGIN_SCA', 'CANCELED', 1, NULL, 'FAILED'); -- login_sca - update operation (login) - AUTH_METHOD_FAILED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (44, 'login_sca', 'UPDATE', 'LOGIN_SCA', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); +VALUES (46, 'login_sca', 'UPDATE', 'LOGIN_SCA', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); -- login_sca - update operation (login) - AUTH_FAILED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (45, 'login_sca', 'UPDATE', 'LOGIN_SCA', 'AUTH_FAILED', 1, 'LOGIN_SCA', 'CONTINUE'); +VALUES (47, 'login_sca', 'UPDATE', 'LOGIN_SCA', 'AUTH_FAILED', 1, 'LOGIN_SCA', 'CONTINUE'); -- login_sca - update operation (consent) - CONFIRMED -> DONE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (46, 'login_sca', 'UPDATE', 'CONSENT', 'CONFIRMED', 1, NULL, 'DONE'); +VALUES (48, 'login_sca', 'UPDATE', 'CONSENT', 'CONFIRMED', 1, NULL, 'DONE'); -- login_sca - update operation (consent) - CANCELED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (47, 'login_sca', 'UPDATE', 'CONSENT', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (49, 'login_sca', 'UPDATE', 'CONSENT', 'CANCELED', 1, NULL, 'FAILED'); -- login_sca - update operation (consent) - AUTH_METHOD_FAILED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (48, 'login_sca', 'UPDATE', 'CONSENT', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); +VALUES (50, 'login_sca', 'UPDATE', 'CONSENT', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); -- login_sca - update operation (consent) - AUTH_FAILED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (49, 'login_sca', 'UPDATE', 'CONSENT', 'AUTH_FAILED', 1, 'LOGIN_SCA', 'CONTINUE'); +VALUES (51, 'login_sca', 'UPDATE', 'CONSENT', 'AUTH_FAILED', 1, 'CONSENT', 'CONTINUE'); -- authorize_payment_sca - init operation -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (50, 'authorize_payment_sca', 'CREATE', NULL, NULL, 1, 'LOGIN_SCA', 'CONTINUE'); +VALUES (52, 'authorize_payment_sca', 'CREATE', NULL, NULL, 1, 'LOGIN_SCA', 'CONTINUE'); + +-- authorize_payment_sca - update operation - CANCELED -> FAILED +INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) +VALUES (53, 'authorize_payment_sca', 'UPDATE', 'INIT', 'CANCELED', 1, 'INIT', 'FAILED'); -- authorize_payment_sca - update operation (login) - CONFIRMED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (51, 'authorize_payment_sca', 'UPDATE', 'LOGIN_SCA', 'CONFIRMED', 1, 'APPROVAL_SCA', 'CONTINUE'); +VALUES (54, 'authorize_payment_sca', 'UPDATE', 'LOGIN_SCA', 'CONFIRMED', 1, 'APPROVAL_SCA', 'CONTINUE'); -- authorize_payment_sca - update operation (login) - CANCELED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (52, 'authorize_payment_sca', 'UPDATE', 'LOGIN_SCA', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (55, 'authorize_payment_sca', 'UPDATE', 'LOGIN_SCA', 'CANCELED', 1, NULL, 'FAILED'); -- authorize_payment_sca - update operation (login) - AUTH_METHOD_FAILED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (53, 'authorize_payment_sca', 'UPDATE', 'LOGIN_SCA', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); +VALUES (56, 'authorize_payment_sca', 'UPDATE', 'LOGIN_SCA', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); -- authorize_payment_sca - update operation (login) - AUTH_FAILED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (54, 'authorize_payment_sca', 'UPDATE', 'LOGIN_SCA', 'AUTH_FAILED', 1, 'LOGIN_SCA', 'CONTINUE'); +VALUES (57, 'authorize_payment_sca', 'UPDATE', 'LOGIN_SCA', 'AUTH_FAILED', 1, 'LOGIN_SCA', 'CONTINUE'); -- authorize_payment_sca - update operation (approval) - CONFIRMED -> DONE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (55, 'authorize_payment_sca', 'UPDATE', 'APPROVAL_SCA', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); +VALUES (58, 'authorize_payment_sca', 'UPDATE', 'APPROVAL_SCA', 'CONFIRMED', 1, 'CONSENT', 'CONTINUE'); -- authorize_payment_sca - update operation (approval) - CANCELED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (56, 'authorize_payment_sca', 'UPDATE', 'APPROVAL_SCA', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (59, 'authorize_payment_sca', 'UPDATE', 'APPROVAL_SCA', 'CANCELED', 1, NULL, 'FAILED'); -- authorize_payment_sca - update operation (approval) - AUTH_METHOD_FAILED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (57, 'authorize_payment_sca', 'UPDATE', 'APPROVAL_SCA', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); +VALUES (60, 'authorize_payment_sca', 'UPDATE', 'APPROVAL_SCA', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); -- authorize_payment_sca - update operation (approval) - AUTH_FAILED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (58, 'authorize_payment_sca', 'UPDATE', 'APPROVAL_SCA', 'AUTH_FAILED', 1, 'APPROVAL_SCA', 'CONTINUE'); +VALUES (61, 'authorize_payment_sca', 'UPDATE', 'APPROVAL_SCA', 'AUTH_FAILED', 1, 'APPROVAL_SCA', 'CONTINUE'); -- authorize_payment_sca - update operation (consent) - CONFIRMED -> DONE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (59, 'authorize_payment_sca', 'UPDATE', 'CONSENT', 'CONFIRMED', 1, NULL, 'DONE'); +VALUES (62, 'authorize_payment_sca', 'UPDATE', 'CONSENT', 'CONFIRMED', 1, NULL, 'DONE'); -- authorize_payment_sca - update operation (consent) - CANCELED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (60, 'authorize_payment_sca', 'UPDATE', 'CONSENT', 'CANCELED', 1, NULL, 'FAILED'); +VALUES (63, 'authorize_payment_sca', 'UPDATE', 'CONSENT', 'CANCELED', 1, NULL, 'FAILED'); -- authorize_payment_sca - update operation (consent) - AUTH_METHOD_FAILED -> FAILED INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (61, 'authorize_payment_sca', 'UPDATE', 'CONSENT', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); +VALUES (64, 'authorize_payment_sca', 'UPDATE', 'CONSENT', 'AUTH_METHOD_FAILED', 1, NULL, 'FAILED'); -- authorize_payment_sca - update operation (consent) - AUTH_FAILED -> CONTINUE INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) -VALUES (62, 'authorize_payment_sca', 'UPDATE', 'CONSENT', 'AUTH_FAILED', 1, 'APPROVAL_SCA', 'CONTINUE'); +VALUES (65, 'authorize_payment_sca', 'UPDATE', 'CONSENT', 'AUTH_FAILED', 1, 'CONSENT', 'CONTINUE'); + +-- authorize_payment_sca - init operation -> CONTINUE +INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) +VALUES (66, 'authorize_payment_sca', 'CREATE', null, null, 1, 'USER_ID_ASSIGN', 'CONTINUE'); + +-- authorize_payment_sca - update operation (user ID assignment) - CONFIRMED -> CONTINUE +INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) +VALUES (67, 'authorize_payment_sca', 'UPDATE', 'USER_ID_ASSIGN', 'CONFIRMED', 1, 'APPROVAL_SCA', 'CONTINUE'); + +-- authorize_payment_sca - update operation (user ID assignment) - CANCELED -> FAILED +INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) +VALUES (68, 'authorize_payment_sca', 'UPDATE', 'USER_ID_ASSIGN', 'CANCELED', 1, null, 'FAILED'); + +-- authorize_payment_sca - update operation (user ID assignment) - AUTH_METHOD_FAILED -> FAILED +INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) +VALUES (69, 'authorize_payment_sca', 'UPDATE', 'USER_ID_ASSIGN', 'AUTH_METHOD_FAILED', 1, null, 'FAILED'); + +-- authorize_payment_sca - update operation (user ID assignment) - AUTH_FAILED -> FAILED +INSERT INTO ns_step_definition (step_definition_id, operation_name, operation_type, request_auth_method, request_auth_step_result, response_priority, response_auth_method, response_result) +VALUES (70, 'authorize_payment_sca', 'UPDATE', 'USER_ID_ASSIGN', 'AUTH_FAILED', 1, null, 'FAILED'); ``` diff --git a/docs/Customizing-Operation-Form-Data.md b/docs/Customizing-Operation-Form-Data.md index 10d1288fa..7f79a41a2 100644 --- a/docs/Customizing-Operation-Form-Data.md +++ b/docs/Customizing-Operation-Form-Data.md @@ -344,7 +344,3 @@ Remarks: Remarks: - The value is structured and it is not localized. - -## Pending issues for operation form data: -- https://github.com/wultra/powerauth-webflow/issues/389 -- https://github.com/wultra/powerauth-webflow/issues/221 diff --git a/docs/Data-Adapter-REST-API-Reference.md b/docs/Data-Adapter-REST-API-Reference.md index dfa250b5d..d603395d6 100644 --- a/docs/Data-Adapter-REST-API-Reference.md +++ b/docs/Data-Adapter-REST-API-Reference.md @@ -1,6 +1,8 @@ # Data Adapter RESTful API Reference -PowerAuth Web Flow server communicates with the Data Adapter via a REST API. This chapter defines the REST API implemented by Data Adapter and consumed by the Web Flow Server. +_Warning: this page is currently being revised for version `1.1.0`. For most up-to-date documentation see the application Swagger at: http[s]://[host]:[port]/powerauth-data-adapter/swagger-ui.html_ + +PowerAuth Web Flow server and Next Step server communicate with the Data Adapter via a REST API. This chapter defines the REST API implemented by Data Adapter and consumed by the Web Flow Server. Following topics are covered in this chapter: - [Status codes and error handling](#status-codes-and-error-handling) diff --git a/docs/Data-Adapter.md b/docs/Data-Adapter.md index 72ae4eab2..8e9c32677 100644 --- a/docs/Data-Adapter.md +++ b/docs/Data-Adapter.md @@ -11,16 +11,21 @@ The Data Adapter needs to be customized for each deployment. You can find the do Following functionality needs to be customized during Web Flow deployment by implementing the Data Adapter interface (if applicable): - convert username to user ID in case such conversion is required -- perform user authentication with remote backend based on provided credentials +- perform user authentication against remote backend based on provided credentials - retrieve user details for given user ID +- initialize an authentication method and set its parameters, e.g. client certificate configuration - decorate form data for given user (e.g. add user bank account list) - form data change notification +- create an implicit login operation automatically on authentication start +- map a complex operation into smaller operations and configure PowerAuth operation template - operation status change notification -- send authorization SMS with generated text and authorization code -- verify authorization code from SMS +- generate OTP authorization code and send authorization SMS +- send authorization SMS with previously generated OTP authorization code +- verify OTP authorization code from SMS +- authenticate user using user ID, password and OTP authorization code +- verify a client TLS certificate - initialize OAuth 2.0 consent form - create OAuth 2.0 consent form - validate OAuth 2.0 consent form options - save OAuth 2.0 consent form options -- authenticate user using user ID, password and SMS authorization code - execute an anti-fraud system (AFS) action and react on response from AFS \ No newline at end of file diff --git a/docs/Database-Table-Structure.md b/docs/Database-Table-Structure.md index 48820e2f8..4a867939e 100644 --- a/docs/Database-Table-Structure.md +++ b/docs/Database-Table-Structure.md @@ -1,6 +1,6 @@ # Database Table Structure -Web Flow requires a database to store data. It is tested with MySQL and Oracle, but should be easily adapted to any other SQL database which supports JDBC. +Web Flow requires a database to store data. It is tested with Oracle, MySQL and PostgreSQL. It should be easily adapted to any other SQL database which supports JDBC. Web Flow can coexist with PowerAuth in the same database schema or it can use a different database schema. @@ -17,6 +17,12 @@ Web Flow can coexist with PowerAuth in the same database schema or it can use a - [initial_data.sql](./sql/oracle/initial_data.sql) - script with initial data - [drop_schema.sql](./sql/oracle/drop_schema.sql) - drop schema script +### PostgreSQL + +- [create_schema.sql](./sql/postgresql/create_schema.sql) - DDL script for creating the database schema +- [initial_data.sql](./sql/postgresql/initial_data.sql) - script with initial data +- [drop_schema.sql](./sql/postgresql/drop_schema.sql) - drop schema script + ## Database Tables ### Database Tables for the OAuth 2.0 protocol @@ -29,7 +35,7 @@ Web Flow can coexist with PowerAuth in the same database schema or it can use a - **oauth_refresh_token** - the table stores OAuth2 refresh tokens. See [JdbcTokenStore.java](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.java). -- **oauth_code** - the table oauth_code stores data for the OAuth2 authorization code grant. See [JdbcAuthorizationCodeServices.java](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServices.java). +- **oauth_code** - the table stores data for the OAuth2 authorization code grant. See [JdbcAuthorizationCodeServices.java](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServices.java). ### Database Tables for the Next Step Server @@ -41,12 +47,48 @@ Web Flow can coexist with PowerAuth in the same database schema or it can use a - **ns_operation_config** - the table stores configuration of Web Flow operations including configuration of mobile templates. +- **ns_operation_method_config** - the table stores configuration of authentication methods per operation name. + - **ns_operation_history** - the table stores all changes of operations. +- **ns_organization** - the table stores definitions of organizations. + - **ns_step_definition** - the table stores definitions of authentication/authorization steps. Data in this table needs to be loaded before Web Flow is started. - **ns_operation_afs** - the table stores responses from AFS for operations. +- **ns_application** - the table stores Next Step applications. + +- **ns_credential_policy** - the table stores credential policies. + +- **ns_otp_policy** - the table stores OTP policies. + +- **ns_user_identity** - the table stores Next Step user identities. + +- **ns_user_contact** - the table stores contact information for user identities. + +- **ns_user_identity_history** - the table stores history for user identities. + +- **ns_role** - the table stores user role definitions. + +- **ns_user_role** - the table stores assignment of roles to user identities. + +- **ns_user_alias** - the table stores user aliases. + +- **ns_hashing_config** - the table stores configuration of hashing algorithms. + +- **ns_credential_definition** - the table stores definitions of credentials with reference to credential policies and applications. + +- **ns_otp_definition** - the table stores definitions of one time passwords with reference to credential policies and applications. + +- **ns_credential_storage** - the table stores credential values, counters and other data related to credentials. + +- **ns_credential_history** - the table stores historical values of credentials. + +- **ns_otp_storage** - the table stores one time password values, counters and other data related to one time passwords. + +- **ns_authentication** - the table stores authentication attempts. + ### Database Tables for the Data Adapter - **da_sms_authorization** - the table stores data for SMS OTP authorization. @@ -59,6 +101,8 @@ Web Flow can coexist with PowerAuth in the same database schema or it can use a - **wf_afs_config** - the table stores configuration of anti-fraud system integration. +- **wf_certificate_verification** - the table stores results of TLS certificate verifications. + ### Database Tables for the Third Party Provider - **tpp_consent** - the table stores definitions of consents. @@ -70,3 +114,9 @@ Web Flow can coexist with PowerAuth in the same database schema or it can use a - **tpp_detail** - the table stores information about third parties. - **tpp_app_detail** - the table store information about third party applications. + +### Database Tables for the auditing functionality + +- **audit_log** - the table stores audit records. + +- **audit_param** - the table stores parameters of audit records which can be used in queries. \ No newline at end of file diff --git a/docs/Deploying-Wildfly.md b/docs/Deploying-Wildfly.md index 87612ad1f..35aae338b 100644 --- a/docs/Deploying-Wildfly.md +++ b/docs/Deploying-Wildfly.md @@ -4,7 +4,7 @@ Two modules need to be configured for JBoss / Wildfly: - Web Flow - the main Web Flow application - Next Step - a backend service for Web Flow which manages operation steps and authentication methods -Optionally Web Flow Client application can be also configured. +Optionally Web Flow Client application and TPP Engine application can be also configured. ## JBoss Deployment Descriptor @@ -22,6 +22,12 @@ Web Flow contains the following configuration in `jboss-deployment-structure.xml + + + + + + @@ -40,6 +46,12 @@ Similarly, Next Step contains the following configuration in `jboss-deployment-s + + + + + + diff --git a/docs/Next-Step-Server-REST-API-Reference.md b/docs/Next-Step-Server-REST-API-Reference.md index 1debb3159..310f82027 100644 --- a/docs/Next-Step-Server-REST-API-Reference.md +++ b/docs/Next-Step-Server-REST-API-Reference.md @@ -1,5 +1,7 @@ # NextStep Server RESTful API Reference +_Warning: this page is currently being revised for version `1.1.0`. For most up-to-date documentation see the application Swagger at: http[s]://[host]:[port]/powerauth-nextstep/swagger-ui.html_ + PowerAuth Web Flow communicates with the Next Step Server via a REST API to resolve the next step in the authentication process. This chapter defines the REST API implemented by Next Step Server and consumed by the Web Flow Server during authentication. The REST API can be also used by other components. The Next Step API can list available authentication methods and enable/disable authentication methods per user. Authentication method configuration can be updated - for instance the activation ID of registered user device is set for the Mobile Token authentication method. @@ -34,7 +36,7 @@ Following topics are covered in this chapter: - [Organization list](#list-organizations) - [Organization detail](#organization-detail) -You can access the generated REST API documentation in deployed Next Step: +You can access the generated REST API documentation in deployed Next Step application: ``` http[s]://[host]:[port]/powerauth-nextstep/swagger-ui.html diff --git a/docs/Next-Step-Server.md b/docs/Next-Step-Server.md index 2539d53c1..7f7a24636 100644 --- a/docs/Next-Step-Server.md +++ b/docs/Next-Step-Server.md @@ -1,12 +1,12 @@ # NextStep Server -Next Step Server resolves the Next Step of the authentication process. +Next Step Server resolves the Next Step of the authentication process, handled authentication using credentials and OTP authorization codes, and manages user identities. You can obtain the war file which can be deployed to a Java EE container in [releases](https://github.com/wultra/powerauth-webflow/releases). -The configuration of Next Step Server is described in [Web Flow Configuration](./Web-Flow-Configuration.md). +The configuration of Next Step Server is described in [Next Step Configuration](./Web-Flow-Configuration.md#next-step-server). -Next step definitions need to be configured before deploying Next Step Server, see chapter [Configuring Next Step Definitions](./Configuring-Next-Step-Definitions.md). +Next step definitions need to be configured before deploying Next Step Server, see chapter [Configuring Next Step](Configuring-Next-Step.md). ## Next Step Server functionality @@ -15,8 +15,11 @@ Next Step Server implements following functionality: - step definitions are loaded from database when Next Step Server starts - making decision about the next step of an operation given loaded step definitions, operation name, operation type, operation status and step authentication result - management of authentication methods + - create an authentication method - listing available authentication methods both general and user-specific - enabling/disabling authentication methods per user including their configuration (configuration is required for the [Mobile Token](./Mobile-Token-Configuration.md)) + - get list a of authentication methods currently enabled for the user + - delete an authentication method - management of operations - create a new operation - update an operation based on next step decision @@ -29,10 +32,39 @@ Next Step Server implements following functionality: - set chosen authentication method - update mobile token status for an operation - retrieve mobile token configuration + - get and update detailed authentication method and operation configuration + - authentication method downgrade for the next step + - enable PowerAuth token for the next step + - integration with PowerAuth operations - store result of an AFS action - management of organizations + - create an organization - list organizations - retrieve organization detail -- REST services are available for authentication methods and operations + - delete an organization +- management of user identity + - user identity CRUD operations + - user contact CRUD operations + - user alias CRUD operations + - assignment of user roles + - blocking and unblocking of user identity + - obtaining user credential list + - obtaining user authentication history + - update status of multiple user identities + - lookup of user identities +- management of Next Step applications +- management of credential policies +- management of OTP policies +- management of credential definitions +- management of OTP definitions +- configuration of hashing algorithm parameters +- secure storage of user credentials +- secure storage of OTP authorization codes, their delivery and management +- storage of failed attempt counters, their update and reset +- configuration of next step definitions +- definition of user roles +- authentication using credentials, OTP authorization codes and combine credential and OTP authentication + +REST services are available for all Next Step functionality listed above. The Next Step Server functionality is described in details in [Next Step Server REST API Reference](./Next-Step-Server-REST-API-Reference.md). diff --git a/docs/Readme.md b/docs/Readme.md index a492c3e18..4887d0246 100644 --- a/docs/Readme.md +++ b/docs/Readme.md @@ -33,6 +33,7 @@ Web Flow can be integrated with anti-fraud systems, provide information for frau - [Web Flow Server](./Web-Flow-Server.md) - [Next Step Server](./Next-Step-Server.md) - [Data Adapter](./Data-Adapter.md) +- [TPP Engine](./Tpp-Engine.md) - [PowerAuth Server](https://github.com/wultra/powerauth-server) - [PowerAuth Admin](https://github.com/wultra/powerauth-admin) - [PowerAuth Push Server](https://github.com/wultra/powerauth-push-server) @@ -57,7 +58,7 @@ Web Flow can be integrated with anti-fraud systems, provide information for frau - [Customizing Web Flow Appearance](https://github.com/wultra/powerauth-webflow-customization/blob/develop/docs/Customizing-Web-Flow-Appearance.md) - [Implementing Data Adapter Interface](https://github.com/wultra/powerauth-webflow-customization/blob/develop/docs/Implementing-the-Data-Adapter-Interface.md) - [Web Flow Configuration](./Web-Flow-Configuration.md) -- [Configuring Next Step Definitions](./Configuring-Next-Step-Definitions.md) +- [Configuring Next Step](Configuring-Next-Step.md) - [Customizing Operation Form Data](./Customizing-Operation-Form-Data.md) - [Mobile Token Configuration](./Mobile-Token-Configuration.md) diff --git a/docs/Tpp-Engine.md b/docs/Tpp-Engine.md new file mode 100644 index 000000000..1cea96afe --- /dev/null +++ b/docs/Tpp-Engine.md @@ -0,0 +1,15 @@ +# Third Party Provider Engine + +TPP Engine implements following functionality: +- third party provider registry +- storage of OAuth 2.0 consents + +TPP Engine is available as a separate application and its deployment is optional. + +## REST API Documentation + +You can access the generated REST API documentation in deployed TPP Engine application: + +``` +http[s]://[host]:[port]/powerauth-tpp-engine/swagger-ui.html +``` diff --git a/docs/Web-Flow-Architecture.md b/docs/Web-Flow-Architecture.md index a72e5b0c6..8961438a2 100644 --- a/docs/Web-Flow-Architecture.md +++ b/docs/Web-Flow-Architecture.md @@ -2,14 +2,15 @@ Web Flow architecture diagram: -![Web Flow Architecture](./img/Web_Flow_Architecture.png) +![Web Flow Architecture](img/Web_Flow_Architecture.png) [Web Flow Architecture diagram in higher resolution](./img/Web_Flow_Architecture.png) The Web Flow application consists of following components: * **PowerAuth Web Flow** - a public internet facing web application which provides authentication and authorization services to secure target web application, the user interacts with this application using web browser -* **Next Step Server** - an internally deployed application which handles logic of resolving the next authentication/authorization step for Web Flow +* **Next Step Server** - an internally deployed application which handles logic of resolving the next authentication/authorization step for Web Flow and optionally manages user identity, too * **Data Adapter** - an internally deployed application which handles user authentication, provides access to user profile from client backend systems (marked as User Identity Storage on the diagram), triggers delivery of SMS messages and notifies backend systems about operation changes +* **TPP Engine** - an optional application which manages third party provider registry and stores user consent option choices * **Mobile Token** - mobile application deployed on user device (iOS or Android), the user interacts with this application during the PowerAuth mobile token authorization step * **PowerAuth Server** - an internally deployed application which serves as a backend providing security services for Web Flow (activation management, signature verification, token verification, etc.) * **PowerAuth Push Server** - an internally deployed application which handles push message notifications to mobile clients (iOS or Android) for authorization of operations on user mobile devices diff --git a/docs/Web-Flow-Configuration.md b/docs/Web-Flow-Configuration.md index e07ff02fd..bdd1df2cd 100644 --- a/docs/Web-Flow-Configuration.md +++ b/docs/Web-Flow-Configuration.md @@ -16,6 +16,9 @@ At minimum the following configuration properties should be updated based on dep Complete configuration file: ```properties +# Allow externalization of properties using application-ext.properties +spring.profiles.active=ext + # Data Adapter Server Service URL powerauth.dataAdapter.service.url=http://localhost:8080/powerauth-data-adapter @@ -44,7 +47,6 @@ spring.datasource.password= spring.datasource.driver-class-name=com.mysql.jdbc.Driver spring.jpa.properties.hibernate.connection.characterEncoding=utf8 spring.jpa.properties.hibernate.connection.useUnicode=true -#spring.jpa.properties.hibernate.connection.CharSet=utf8mb4 # Database Configuration - PostgreSQL #spring.datasource.url=jdbc:postgresql://localhost:5432/powerauth @@ -71,6 +73,9 @@ powerauth.webflow.service.applicationEnvironment= # Configuration of Offline Mode powerauth.webflow.offlineMode.available=true +# Enable or disable operations support in PowerAuth server +powerauth.webflow.pa.operations.enabled=false + # Configuration of Android Security Warning powerauth.webflow.android.showSecurityWarning=true @@ -79,6 +84,9 @@ powerauth.webflow.password.protection.type=NO_PROTECTION powerauth.webflow.password.encryption.transformation= powerauth.webflow.password.encryption.key= +# Configuration of authentication using temporary credentials +powerauth.webflow.authentication.allowTemporaryCredentials=false + # Configuration of Delay for Resending SMS in Milliseconds powerauth.webflow.sms.resend.delayMs=60000 @@ -89,7 +97,7 @@ powerauth.webflow.timeout.warning.delayMs=60000 powerauth.webflow.consent.limit.enabled=false powerauth.webflow.consent.limit.characters=750 -# Anti-fraud system configuration +# Anti-fraud System Configuration powerauth.webflow.afs.enabled=false powerauth.webflow.afs.type=THREAT_MARK powerauth.webflow.afs.detectIpAddress=false @@ -97,10 +105,32 @@ powerauth.webflow.afs.forceIpv4=true powerauth.webflow.afs.tm.cookies.deviceTag= powerauth.webflow.afs.tm.cookies.sessionSid= -# User input validation +# User Input Validation powerauth.webflow.input.username.maxLength=256 powerauth.webflow.input.password.maxLength=128 powerauth.webflow.input.smsOtp.maxLength=8 + +# Configuration of CORS Requests for Client Certificate Verification +powerauth.webflow.security.cors.enabled=false +powerauth.webflow.security.cors.allowOrigin=https://localhost.cz + +# Set JMX default domain in case JMX is enabled, otherwise the application startup fails due to clash in JMX bean names +spring.jmx.default-domain=powerauth-webflow + +# Set Jackson date format +spring.jackson.date-format=yyyy-MM-dd'T'HH:mm:ssZ + +# Disable open session in view to avoid startup warning of Spring boot +spring.jpa.open-in-view=false + +# Enable caching of static resources +spring.resources.cache.cachecontrol.max-age=86400 + +# Disable swagger-ui default petstore url +springdoc.swagger-ui.disable-swagger-default-url=true + +# Set the Spring application name +spring.application.name=powerauth-webflow ``` Encryption of user passwords during transport can be configured using following properties: @@ -129,10 +159,15 @@ For information about password decryption, see: [User Password Encryption And De ## Next Step Server At minimum the following configuration properties should be updated based on deployment: - `powerauth.nextstep.operation.expirationTimeInSeconds` - operation expiration time in seconds +- `powerauth.dataAdapter.service.url` - Data Adapter service URL +- `powerauth.service.url` - PowerAuth service URL - database configuration - see examples below Complete configuration file: ```properties +# Allow externalization of properties using application-ext.properties +spring.profiles.active=ext + # Database Configuration - MySQL spring.datasource.url=jdbc:mysql://localhost:3306/powerauth spring.datasource.username=powerauth @@ -140,7 +175,6 @@ spring.datasource.password= spring.datasource.driver-class-name=com.mysql.jdbc.Driver spring.jpa.properties.hibernate.connection.characterEncoding=utf8 spring.jpa.properties.hibernate.connection.useUnicode=true -#spring.jpa.properties.hibernate.connection.CharSet=utf8mb4 # Database Configuration - PostgreSQL #spring.datasource.url=jdbc:postgresql://localhost:5432/powerauth @@ -159,13 +193,59 @@ spring.jpa.properties.hibernate.connection.useUnicode=true # The following property speeds up Spring Boot startup #spring.jpa.properties.hibernate.temp.use_jdbc_metadata_defaults=false +# Data Adapter Server Service URL +powerauth.dataAdapter.service.url=http://localhost:8080/powerauth-data-adapter + +# PowerAuth Server URL +powerauth.service.url=http://localhost:8080/powerauth-java-server/rest +powerauth.service.security.clientToken= +powerauth.service.security.clientSecret= +# Whether invalid SSL certificates should be accepted +powerauth.service.ssl.acceptInvalidSslCertificate=false + # Operation expiration time in seconds powerauth.nextstep.operation.expirationTimeInSeconds=300 +# Use original username for a removed credential when the credential is recreated +powerauth.nextstep.identity.credential.useOriginalUsername=false + +# Maximum number of attempts when generating username +powerauth.nextstep.identity.credential.generateUsernameMaxAttempts=100 + +# Enable or disable operations support in PowerAuth server +powerauth.nextstep.pa.operations.enabled=false + +# Key used for end-to-end encryption of credentials +powerauth.nextstep.e2eEncryption.key= + +# Key used for database record encryption +powerauth.nextstep.db.master.encryption.key= + # Application Service Configuration powerauth.nextstep.service.applicationName=powerauth-nextstep powerauth.nextstep.service.applicationDisplayName=PowerAuth Next Step Server powerauth.nextstep.service.applicationEnvironment= + +# Disable new Hibernate ID generators +spring.jpa.hibernate.use-new-id-generator-mappings=false + +# Set JMX default domain in case JMX is enabled, otherwise the application startup fails due to clash in JMX bean names +spring.jmx.default-domain=powerauth-nextstep + +# Set Jackson date format +spring.jackson.date-format=yyyy-MM-dd'T'HH:mm:ssZ + +# Disable open session in view to avoid startup warning of Spring boot +spring.jpa.open-in-view=false + +# Disable swagger-ui default petstore url +springdoc.swagger-ui.disable-swagger-default-url=true + +# Set default media type for responses in REST API documentation +springdoc.default-produces-media-type=application/json + +# Set the Spring application name +spring.application.name=powerauth-nextstep ``` ## Data Adapter @@ -176,6 +256,9 @@ At minimum the following configuration properties should be updated based on dep Complete configuration file: ```properties +# Allow externalization of properties using application-ext.properties +spring.profiles.active=ext + # Database Configuration - MySQL spring.datasource.url=jdbc:mysql://localhost:3306/powerauth spring.datasource.username=powerauth @@ -206,6 +289,20 @@ spring.jpa.properties.hibernate.connection.useUnicode=true powerauth.authorization.sms-otp.expiration-time-in-seconds=300 # Maximum number of tries to verify a SMS OTP authorization code powerauth.authorization.sms-otp.max-verify-tries-per-message=5 + +# Set JMX default domain in case JMX is enabled, otherwise the application startup fails due to clash in JMX bean names +spring.jmx.default-domain=powerauth-data-adapter + +# Application Service Configuration +powerauth.dataAdapter.service.applicationName=powerauth-data-adapter +powerauth.dataAdapter.service.applicationDisplayName=PowerAuth Data Adapter +powerauth.dataAdapter.service.applicationEnvironment= + +# Disable open session in view to avoid startup warning of Spring boot +spring.jpa.open-in-view=false + +# Disable swagger-ui default petstore url +springdoc.swagger-ui.disable-swagger-default-url=true ``` ## Web Flow Client @@ -236,78 +333,45 @@ powerauth.service.ssl.acceptInvalidSslCertificate=false powerauth.webflow.client.service.applicationName=powerauth-webflow-client powerauth.webflow.client.service.applicationDisplayName=PowerAuth Web Flow Client powerauth.webflow.client.service.applicationEnvironment= -``` - -## OAuth 2.0 Client Configuration - -The OAuth 2.0 client needs to be configured in database during Web Flow deployment. - -Change the client_id and client_secret in SQL snipped below. The scope, authorized_grant_types, additional_information and autoapprove values should not be changed. - -Initialization of OAuth 2.0 client: -```sql -INSERT INTO oauth_client_details (client_id, client_secret, scope, authorized_grant_types, additional_information, autoapprove) -VALUES ('democlient', '$2a$12$MkYsT5igDXSDgRwyDVz1B.93h8F81E4GZJd/spy/1vhjM4CJgeed.', 'profile', 'authorization_code', '{}', 'true'); -``` - -Note: bcrypt('changeme', 12) => '$2a$12$MkYsT5igDXSDgRwyDVz1B.93h8F81E4GZJd/spy/1vhjM4CJgeed.' -You can use [htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) from Apache HTTP server to generate bcrypt hashes. +# Set JMX default domain in case JMX is enabled, otherwise the application startup fails due to clash in JMX bean names +spring.jmx.default-domain=powerauth-webflow-client +# Set Jackson date format +spring.jackson.date-format=yyyy-MM-dd'T'HH:mm:ssZ -## Organization configuration +# Disable open session in view to avoid startup warning of Spring boot +spring.jpa.open-in-view=false -Web Flow requires at least one organization configured. The default configuration is following: +# Enable hidden method filter for DELETE method +spring.mvc.hiddenmethod.filter.enabled=true -Oracle: -```sql -INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('DEFAULT', null, 1, 1); -``` +# Disable harmless warning from Hikari Data Source during startup during H2 database driver initialization +logging.level.com.zaxxer.hikari.util.DriverDataSource=ERROR -MySQL: -```sql -INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('DEFAULT', null, TRUE, 1); +# Enable caching of static resources +spring.resources.cache.cachecontrol.max-age=86400 ``` -The default configuration assigns the `DEFAULT` organization to all operations. You can define multiple organizations to support -authentication for multiple segments which can have overlapping user IDs, e.g.: +## OAuth 2.0 Client Configuration -Oracle: -```sql -INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('RETAIL', 'organization.retail', 1, 1); -INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('SME', 'organization.sme', 0, 2); -``` +The OAuth 2.0 client requires following configuration: +- `client_id` - an identifier of the OAuth 2.0 client, choose the name so that it describes the client purpose +- `client_secret` - secret used for authentication of the OAuth 2.0 client, use BCrypt to encrypt the secret +- `scope` - OAuth 2.0 scopes supported by this client +- `authorized_grant_types` - OAuth 2.0 grant types, use `authorization_code` for typical deployment +- `web_server_redirect_url` - comma separated list of all redirect URLs after completion of OAuth 2.0 protocol +- `additional_information` - additional information for this client, use `{}` for no additional information +- `autoapprove` - use `true` value because consent page is displayed by Web Flow separately and is not handled by Spring OAuth 2.0 support -MySQL: ```sql -INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('RETAIL', 'organization.retail', TRUE, 1); -INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('SME', 'organization.sme', FALSE, 2); +INSERT INTO oauth_client_details (client_id, client_secret, scope, authorized_grant_types, web_server_redirect_uri, additional_information, autoapprove) +VALUES ('democlient', '$2a$12$MkYsT5igDXSDgRwyDVz1B.93h8F81E4GZJd/spy/1vhjM4CJgeed.', 'profile,aisp,pisp', 'authorization_code', 'http://localhost:8080/powerauth-webflow-client/connect/demo', '{}', 'true'); ``` -Such configuration defines two organizations `RETAIL` and `SME`. The user sees two tabs when authenticating with localized labels -based on keys `organization.retail` and `organization.sme`. The user can switch the organization against which the authentication is performed. -The `RETAIL` organization is the default one (it is preselected in the UI). The order of displayed organizations is defined as -`RETAIL`, `SME` using the last parameter. - -_Warning: In case you configure multiple organizations make sure the user ID used in PowerAuth Web Flow, PowerAuth Server and PowerAuth Push Server is unique across all organizations and it is consistent in all PowerAuth backends. You can achieve this requirement by assigning unique user IDs in different organizations during user authentication. Alternatively the uniqueness requirement can be achieved by adding a prefix to all user IDs based on the organization against which the user was authenticated (e.g. `RETAIL.12345678`)._ - -## Operation configuration - -Operations need to be configured in table `ns_operation_config`. +Note: bcrypt('changeme', 12) => '$2a$12$MkYsT5igDXSDgRwyDVz1B.93h8F81E4GZJd/spy/1vhjM4CJgeed.' -Following parameters are configured for each operation: -- `operation_name` - unique operation name which identifies the operation -- `template_version` - template version, see documentation for [Operation Data](./Operation-Data.md) - - currently used template version is `A` -- `template_id` - template identifier, see documentation for [Operation Data](./Operation-Data.md) - - for approval (payment) use `1` - - for login use `2` -- `mobile_token_enabled` - whether mobile token is enabled for this operation -- `mobile_token_mode` - configuration of mobile token factors, use only when `mobile_token_enabled` value is true - - for 1FA use: `{"type":"1FA"}` - - for 2FA use e.g.: `{"type":"2FA","variants":["possession_knowledge","possession_biometry"]}` -- `afs_enabled` - whether anti-fraud service integration is enabled for this operation -- `afs_config_id` - identifier of AFS configuration, use only when `afs_enabled` value is true +You can use [htpasswd](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) from Apache HTTP server to generate bcrypt hashes. ## AFS configuration @@ -330,7 +394,7 @@ AFS also needs to be configured using application properties: Authentication methods and next step definitions need to be configured during Web Flow deployment. -See chapter [Configuring Next Step Definitions](./Configuring-Next-Step-Definitions.md) for details. +See chapter [Configuring Next Step](Configuring-Next-Step.md) for details. ## Mobile token configuration diff --git a/docs/Web-Flow-Installation-Manual.md b/docs/Web-Flow-Installation-Manual.md index 09f2a7314..f934685cd 100644 --- a/docs/Web-Flow-Installation-Manual.md +++ b/docs/Web-Flow-Installation-Manual.md @@ -28,15 +28,21 @@ Optionally, add your user to the "tomcat" group: `$ usermod -a -G tomcat ext_johndoe` -### Install Bouncy Castle +### Configure Bouncy Castle Provider -Please follow our [Bouncy Castle installation tutorial](https://github.com/wultra/powerauth-server/blob/develop/docs/Installing-Bouncy-Castle.md). +Add an entry to the `java.security` file, where N is the last number of provider in the file incremented by one: + +```properties +security.provider.N=org.bouncycastle.jce.provider.BouncyCastleProvider +``` + +A recent version of the Bouncy Castle library is bundled with Web Flow and Next Step applications. ### Install Tomcat -Unzip Tomcat 8.5.14 to "/opt/tomcat" folder. You can download Tomcat here: +Unzip Tomcat to "/opt/tomcat" folder. You can download Tomcat here: -[https://tomcat.apache.org/download-80.cgi](https://tomcat.apache.org/download-80.cgi) +[https://tomcat.apache.org/download-90.cgi](https://tomcat.apache.org/download-90.cgi) Change owner of the files to "tomcat" user: @@ -101,6 +107,14 @@ For more details see document [Database Table Structure](./Database-Table-Struct For more details see document [Database Table Structure](./Database-Table-Structure.md). +### Create database schema - PostgreSQL + +* Create a new database or reuse an existing PowerAuth database. +* Run the [create_schema.sql](./sql/postgresql/create_schema.sql) script to create tables. +* Run the [initial_data.sql](./sql/postgresql/initial_data.sql) script to load initial data. + +For more details see document [Database Table Structure](./Database-Table-Structure.md). + ### Update application configurations Copy XML files described below to "/opt/tomcat/conf/Catalina/localhost". Then, update configurations in the files to reflect expected values. Make sure to use absolute URLs, not references to `localhost`, for example: @@ -133,7 +147,6 @@ Note that the JDBC settings differ based on used database vendor and JDBC driver - @@ -194,6 +207,14 @@ Note that the JDBC settings differ based on used database vendor and JDBC driver + + + + + + + + @@ -293,6 +314,9 @@ The following war files are required for complete functionality including PowerA - powerauth-webflow-client.war - powerauth-webflow.war +The following war files are optional: +- powerauth-tpp-engine.war + ### Configure Web Flow Web Flow needs to be configured before starting. See chapter [Web Flow Configuration](./Web-Flow-Configuration.md). @@ -314,5 +338,3 @@ Start Tomcat with following command: To observe tomcat logs interactively, use following command: `$ tail -f -n200 /opt/tomcat/logs/catalina.out` - - diff --git a/docs/Web-Flow-Server.md b/docs/Web-Flow-Server.md index 84748e6d2..28475d5fd 100644 --- a/docs/Web-Flow-Server.md +++ b/docs/Web-Flow-Server.md @@ -16,10 +16,13 @@ Web Flow implements following functionality: - the authentication process consists of one or more authentication methods which are invoked as defined by the Next Step Server - each authentication method is stored in a separate project - central point which communicates with other backends - - communication with Next Step Server to get a response about next step and redirect of user to the right screen - - communication with Data Adapter to obtain additional data, authenticate user, send SMS messages and notify Data Adapter about operation status and form data changes + - communication with Next Step Server to get a response about the next step and redirect of user to the right screen, lookup user, authenticate user, and deliver OTP authorization codes + - communication with Data Adapter to perform TLS certificate verification, obtain consent options, validate consent data, save consent data, perform AFS actions, map complex operations, and notify Data Adapter about form data changes - communication with PowerAuth Server to obtain activation status, signature verification and token verification - communication with PowerAuth Push Server to deliver push messages to user mobile device - Web Socket communication with frontend for immediate response in Mobile Token authentication - tracking of operations within HTTP session to handle concurrent operations - preparation of operation form data (value formatting, resource localization, resource translation) +- OAuth 2.0 consent form display, processing of consent options, and consent form validation +- authentication using SCA and non-SCA methods with credentials and/or OTP authorization codes +- authentication using client TLS certificate diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index d6662496b..1713167e3 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -10,6 +10,7 @@ **Applications** - [Web Flow Server](./Web-Flow-Server.md) - [Next Step Server](./Next-Step-Server.md) +- [TPP Engine](./Tpp-Engine.md) - [Data Adapter](./Data-Adapter.md) - [PowerAuth Server](https://github.com/wultra/powerauth-server) - [PowerAuth Admin](https://github.com/wultra/powerauth-admin) @@ -35,7 +36,7 @@ - [Customizing Web Flow Appearance](https://github.com/wultra/powerauth-webflow-customization/blob/develop/docs/Customizing-Web-Flow-Appearance.md) - [Implementing Data Adapter Interface](https://github.com/wultra/powerauth-webflow-customization/blob/develop/docs/Implementing-the-Data-Adapter-Interface.md) - [Web Flow Configuration](./Web-Flow-Configuration.md) -- [Configuring Next Step Definitions](./Configuring-Next-Step-Definitions.md) +- [Configuring Next Step](Configuring-Next-Step.md) - [Customizing Operation Form Data](./Customizing-Operation-Form-Data.md) - [Mobile Token Configuration](./Mobile-Token-Configuration.md) diff --git a/docs/img/Web_Flow_Architecture.png b/docs/img/Web_Flow_Architecture.png index 14922a746..5f345045a 100644 Binary files a/docs/img/Web_Flow_Architecture.png and b/docs/img/Web_Flow_Architecture.png differ diff --git a/docs/sql/mysql/initial_data.sql b/docs/sql/mysql/initial_data.sql index 5a8c0f27f..3bb03352c 100644 --- a/docs/sql/mysql/initial_data.sql +++ b/docs/sql/mysql/initial_data.sql @@ -40,7 +40,7 @@ INSERT INTO ns_application (name, description, status, timestamp_created) values -- credential and OTP policy configuration INSERT INTO ns_credential_policy (name, description, status, username_length_min, username_length_max, username_allowed_pattern, credential_length_min, credential_length_max, limit_soft, limit_hard, check_history_count, rotation_enabled, username_gen_algorithm, username_gen_param, credential_gen_algorithm, credential_gen_param, credential_val_param, timestamp_created) values ('CREDENTIAL_POLICY', 'Sample credential policy', 'ACTIVE', 8, 20, '[0-9]+', 8, 40, 3, 5, 3, FALSE, 'RANDOM_DIGITS', '{"length": 8}', 'RANDOM_PASSWORD', '{"length": 12, "includeSmallLetters": true, "smallLettersCount": 5, "includeCapitalLetters": true, "capitalLettersCount": 5, "includeDigits": true, "digitsCount": 1, "includeSpecialChars": true, "specialCharsCount": 1}', '{"includeWhitespaceRule": true, "includeUsernameRule": true, "includeAllowedCharacterRule": false, "allowedChars": "", "includeAllowedRegexRule": false, "allowedRegex": ".*", "includeIllegalCharacterRule": false, "illegalChars": "", "includeIllegalRegexRule": false, "illegalRegex": "", "includeCharacterRule": true, "includeSmallLetters": "true", "smallLettersMin": 1, "includeCapitalLetters": true, "capitalLettersMin": 1, "includeAlphabeticalLetters": true, "alphabeticalLettersMin": 2, "includeDigits": true, "digitsMin": 1, "includeSpecialChars": true, "specialCharsMin": 1}', CURRENT_TIMESTAMP); -INSERT INTO ns_otp_policy (name, description, status, length, attempt_limit, expiration_time, gen_algorithm, gen_param) values ('OTP_POLICY', 'Sample OTP policy', 'ACTIVE', 8, 3, 300, 'OTP_DATA_DIGEST', '{}'); +INSERT INTO ns_otp_policy (name, description, status, length, attempt_limit, expiration_time, gen_algorithm, gen_param, timestamp_created) values ('OTP_POLICY', 'Sample OTP policy', 'ACTIVE', 8, 3, 300, 'OTP_DATA_DIGEST', '{}', CURRENT_TIMESTAMP); -- credential and OTP definition configuration INSERT INTO ns_credential_definition (name, description, application_id, organization_id, credential_policy_id, category, data_adapter_proxy_enabled, status, timestamp_created) values ('RETAIL_CREDENTIAL', 'Sample credential definition for retail', 1, 'RETAIL', 1, 'PASSWORD', TRUE, 'ACTIVE', CURRENT_TIMESTAMP); diff --git a/docs/sql/oracle/initial_data.sql b/docs/sql/oracle/initial_data.sql index 91f92dbc7..8497346e3 100644 --- a/docs/sql/oracle/initial_data.sql +++ b/docs/sql/oracle/initial_data.sql @@ -40,7 +40,7 @@ INSERT INTO ns_application (application_id, name, description, status, timestamp -- credential and OTP policy configuration INSERT INTO ns_credential_policy (credential_policy_id, name, description, status, username_length_min, username_length_max, username_allowed_pattern, credential_length_min, credential_length_max, limit_soft, limit_hard, check_history_count, rotation_enabled, username_gen_algorithm, username_gen_param, credential_gen_algorithm, credential_gen_param, credential_val_param, timestamp_created) values (1, 'CREDENTIAL_POLICY', 'Sample credential policy', 'ACTIVE', 8, 20, '[0-9]+', 8, 40, 3, 5, 3, 0, 'RANDOM_DIGITS', '{"length": 8}', 'RANDOM_PASSWORD', '{"length": 12, "includeSmallLetters": true, "smallLettersCount": 5, "includeCapitalLetters": true, "capitalLettersCount": 5, "includeDigits": true, "digitsCount": 1, "includeSpecialChars": true, "specialCharsCount": 1}', '{"includeWhitespaceRule": true, "includeUsernameRule": true, "includeAllowedCharacterRule": false, "allowedChars": "", "includeAllowedRegexRule": false, "allowedRegex": ".*", "includeIllegalCharacterRule": false, "illegalChars": "", "includeIllegalRegexRule": false, "illegalRegex": "", "includeCharacterRule": true, "includeSmallLetters": "true", "smallLettersMin": 1, "includeCapitalLetters": true, "capitalLettersMin": 1, "includeAlphabeticalLetters": true, "alphabeticalLettersMin": 2, "includeDigits": true, "digitsMin": 1, "includeSpecialChars": true, "specialCharsMin": 1}', CURRENT_TIMESTAMP); -INSERT INTO ns_otp_policy (otp_policy_id, name, description, status, length, attempt_limit, expiration_time, gen_algorithm, gen_param) values (1, 'OTP_POLICY', 'Sample OTP policy', 'ACTIVE', 8, 3, 300, 'OTP_DATA_DIGEST', '{}'); +INSERT INTO ns_otp_policy (otp_policy_id, name, description, status, length, attempt_limit, expiration_time, gen_algorithm, gen_param, timestamp_created) values (1, 'OTP_POLICY', 'Sample OTP policy', 'ACTIVE', 8, 3, 300, 'OTP_DATA_DIGEST', '{}', CURRENT_TIMESTAMP); -- credential and OTP definition configuration INSERT INTO ns_credential_definition (credential_definition_id, name, description, application_id, organization_id, credential_policy_id, category, data_adapter_proxy_enabled, status, timestamp_created) values (1, 'RETAIL_CREDENTIAL', 'Sample credential definition for retail', 1, 'RETAIL', 1, 'PASSWORD', 1, 'ACTIVE', CURRENT_TIMESTAMP); diff --git a/docs/sql/postgresql/initial_data.sql b/docs/sql/postgresql/initial_data.sql index 9ba9344a1..da103bbba 100644 --- a/docs/sql/postgresql/initial_data.sql +++ b/docs/sql/postgresql/initial_data.sql @@ -40,7 +40,7 @@ INSERT INTO ns_application (application_id, name, description, status, timestamp -- credential and OTP policy configuration INSERT INTO ns_credential_policy (credential_policy_id, name, description, status, username_length_min, username_length_max, username_allowed_pattern, credential_length_min, credential_length_max, limit_soft, limit_hard, check_history_count, rotation_enabled, username_gen_algorithm, username_gen_param, credential_gen_algorithm, credential_gen_param, credential_val_param, timestamp_created) values (1, 'CREDENTIAL_POLICY', 'Sample credential policy', 'ACTIVE', 8, 20, '[0-9]+', 8, 40, 3, 5, 3, FALSE, 'RANDOM_DIGITS', '{"length": 8}', 'RANDOM_PASSWORD', '{"length": 12, "includeSmallLetters": true, "smallLettersCount": 5, "includeCapitalLetters": true, "capitalLettersCount": 5, "includeDigits": true, "digitsCount": 1, "includeSpecialChars": true, "specialCharsCount": 1}', '{"includeWhitespaceRule": true, "includeUsernameRule": true, "includeAllowedCharacterRule": false, "allowedChars": "", "includeAllowedRegexRule": false, "allowedRegex": ".*", "includeIllegalCharacterRule": false, "illegalChars": "", "includeIllegalRegexRule": false, "illegalRegex": "", "includeCharacterRule": true, "includeSmallLetters": "true", "smallLettersMin": 1, "includeCapitalLetters": true, "capitalLettersMin": 1, "includeAlphabeticalLetters": true, "alphabeticalLettersMin": 2, "includeDigits": true, "digitsMin": 1, "includeSpecialChars": true, "specialCharsMin": 1}', CURRENT_TIMESTAMP); -INSERT INTO ns_otp_policy (otp_policy_id, name, description, status, length, attempt_limit, expiration_time, gen_algorithm, gen_param) values (1, 'OTP_POLICY', 'Sample OTP policy', 'ACTIVE', 8, 3, 300, 'OTP_DATA_DIGEST', '{}'); +INSERT INTO ns_otp_policy (otp_policy_id, name, description, status, length, attempt_limit, expiration_time, gen_algorithm, gen_param, timestamp_created) values (1, 'OTP_POLICY', 'Sample OTP policy', 'ACTIVE', 8, 3, 300, 'OTP_DATA_DIGEST', '{}', CURRENT_TIMESTAMP); -- credential and OTP definition configuration INSERT INTO ns_credential_definition (credential_definition_id, name, description, application_id, organization_id, credential_policy_id, category, data_adapter_proxy_enabled, status, timestamp_created) values (1, 'RETAIL_CREDENTIAL', 'Sample credential definition for retail', 1, 'RETAIL', 1, 'PASSWORD', TRUE, 'ACTIVE', CURRENT_TIMESTAMP); diff --git a/powerauth-nextstep/src/main/resources/application.properties b/powerauth-nextstep/src/main/resources/application.properties index 02602fd1d..0d1ab6362 100644 --- a/powerauth-nextstep/src/main/resources/application.properties +++ b/powerauth-nextstep/src/main/resources/application.properties @@ -23,7 +23,7 @@ spring.jpa.properties.hibernate.connection.useUnicode=true #spring.datasource.username=powerauth #spring.datasource.password= #spring.datasource.driver-class-name=oracle.jdbc.OracleDriver -# The following propertt speeds up Spring Boot startup +# The following property speeds up Spring Boot startup #spring.jpa.properties.hibernate.temp.use_jdbc_metadata_defaults=false # Data Adapter Server Service URL diff --git a/powerauth-webflow/src/main/resources/application.properties b/powerauth-webflow/src/main/resources/application.properties index 7ccdea955..8997963d9 100644 --- a/powerauth-webflow/src/main/resources/application.properties +++ b/powerauth-webflow/src/main/resources/application.properties @@ -17,10 +17,6 @@ powerauth.service.ssl.acceptInvalidSslCertificate=false # PowerAuth Push Server URL powerauth.push.service.url=http://localhost:8080/powerauth-push-server -# Unirest Configuration -powerauth.unirest.concurrency.total=500 -powerauth.unirest.concurrency.perRoute=50 - # Dynamic CSS stylesheet URL powerauth.webflow.page.title=PowerAuth Web Flow powerauth.webflow.page.ext-resources.location=classpath:/static/resources/