Skip to main content
Version: 3.7.x.x RR

Configuration

Using the Configurationjava, swift, objc, flutter, react native interface, you define the server and endpoints the SDK has to use to do authentication. You can also specify network timeouts.

Authentication Cloud backend

If your application is using the Nevis Authentication Cloud as backend, the SDK offers a convenience interface for each platform:

  • Configuration.AuthCloudBuilder for java
  • Configuration(authCloudHostname:) for swift
  • -[NMAConfiguration initWithAuthCloudHostname:] for objc
  • Configuration.authCloud(hostname:) for flutter
  • Configuration.authCloudBuilder for react native

With these interfaces, you only need to provide the hostname of your cloud environment ($instance.mauth.nevis.cloud).

Configuration in AuthCloud

Identity Suite backends

For those cases where your application interacts with an Identity Suite deployment, use the generic initializers to obtain a Configuration object:

  • Configuration.Builder for java
  • Configuration(baseUrl:) for swift
  • -[NMAConfiguration initWithBaseUrl:] for objc
  • Configuration(baseUrl:) for flutter
  • Configuration.builder for react native

These initializers allow you to specify the relative paths for each of the endpoints required by the SDK.

Configuration on Identity Suite

Facet ID

The facet ID of your application has to match the list of allowed facets stored provided by the facet service of the backend.

Common issue

The most common developer issue when integrating and testing the SDK is a mismatch between the client and backend facetIDs, specifically for applications running on the Android platform.

Always ensure, that your backend facetID configuration matches the client one.

The backend HTTP API serving the facets must be unprotected according to the UAF 1.1 specification. If you know the correct URL, you will be able to quickly verify the backends facets configuration.

  • Nevis Authentication Cloud: https://<your-cloud-instance>.mauth.nevis.cloud/_app/uaf/1.1/facets
  • On-Premise: https://<your-domain>/nevisfido/uaf/1.1/facets (This can differ according to configuration)

For backend configuration instructions, see one of the following documents:

The format of the facet ID differs between platforms:

Wildcard Facet IDs

Nevis Mobile Authentication supports the usage of wildcard facet IDs for development purposes. This is an alternative to providing the facet ID in configuration.

Configuring the backend with wildcard facetIDs will allow you to develop your app without having to consider Android signing certificate or iOS bundle identifiers at the early development stage. Simply adding the wildcard entries to the backend facet ID configuration will allow your app to "pass" the facet validation regardless of the real facetID your app would have.

Wildcard Facet ID example

android:apk-key-hash:*
ios:bundle-id:*
Debug SDK flavor only

Only the debug SDK flavor supports wildcard facet IDs. The release flavor does not allow them, calculate and use non-wildcard facetIds as described below when using the release flavor.

Android facet ID

According to the FIDO UAF 1.1 Specifications, the facet ID on Android should follow the android:apk-key-hash:HASH_VALUE format where the HASH_VALUE is Base64 encoded SHA-256 hash of the APK signing certificate.

For example android:apk-key-hash:z7Xkw62dAn/Bue3mKpYrOZ9zSPC7b4mbgzJmdZEDO5w.

info

If you modify the certificate used to sign your application, the value of the facet ID changes. So, a change of the certificate implies the need to recalculate the facet ID again, and reconfiguring the server with the new facet ID.

Using Play App Signing

If Google Play Store Play App Signing is used, Google will sign your application with a certificate that is not accessible.

In this case, to calculate the facet ID, include the facet ID calculating code in your application, publish it in Google Play (for example in an internal test track), and obtain the facetID when running the application (for instance including it in a debug line).

As long as the certificate used by Google remains the same, the facet ID will not change. So, once the facet ID is obtained, you can remove the facet ID calculating code from your application.

Providing the facet ID in Configuration

Deprecated

We consider this API deprecated and will likely remove it in the near future, use wildcard facet IDs instead. The reason for deprecation is that this API only exists for the Android SDK which makes integration with cross-platform frameworks and plugins more cumbersome. Using wildcard facet IDs is an easier and more uniform approach.

For convenience, the Configuration.facetIdjava, flutter, react native method allows you to provide the facet ID of the application. By providing a constant facet ID, temporary changes in the application signing certificate do not require changes in the backend. However, for production code, the FIDO UAF specification must be used, that is, by calculating the facet ID as described above.

Providing facet ID to the Configuration

In the example above, the facet ID to add to the list of facet IDs in the server is android:apk-key-hash:fakehash.

Calculating the facet ID inside a mobile application

The following code returns the facet ID when executed from inside the application:

Calculate Facet ID

Calculating facet ID using keytool command-line

You can calculate the hash using the following command:

keytool -keystore <path-to-apk-signing-keystore> \
-alias <alias-of-entry> \
-exportcert -storepass <keystore-password> 2> /dev/null | \
openssl sha256 -binary | \
openssl base64| \
sed 's/=//g'

iOS facet ID

In the case of an iOS application, the format of the facet ID is ios:bundle-id:<ios-bundle-id-of-app>.

For example ios:bundle-id:ch.nevis.accessapp

Flutter facet ID

In the case of a Flutter application, both Android and iOS facet IDs are needed. Read the chapters above on how you calculate them.

React Native facet ID

In the case of a React Native application, both Android and iOS facet IDs are needed. Read the chapters above on how you calculate them.

Last updated on