Skip to main content
Version: 2.2

nevisAuth Mobile Authentication AuthStates

nevisFIDO provides its own AuthStates, which you can configure and use in nevisAuth.

Installation

The nevisFIDO AuthStates are installed using the client RPM. After installing the RPM, the AuthStates and the required dependencies are located under /opt/nevisfidocl/nevisauth/lib.

Configuration

When you configure a nevisFIDO AuthState, pay attention to the following:

  • If the classPath attribute is specified in the AuthEngine configuration, it has to contain the directory with the nevisFIDO AuthStates directory (as in the following sample code):

    <AuthEngine name="AuthEngine"
                classPath="/var/opt/nevisauth/default/plugin:/opt/nevisauth/plugin:/opt/nevisfidocl/nevisauth/lib"
                classLoadStrategy="PARENT_FIRST"
                useLiteralDictionary="true"
                addAutheLevelToSecRoles="true"
                compatLevel="none"
                inputLanguageCookie="LANG">

  • When you create a FidoUafAuthState, specify the following attributes as follows:

    • fidoUafServerUrl : The base URL of the nevisFIDO (server) instance.
    • fidoUafUsername : The username of the user in the nevisFIDO (server) instance.

    See also the next sample code:

    <AuthState name="FidoUafAuthState"
               class="ch.nevis.auth.fido.uaf.authstate.FidoUafAuthState"
               final="false"
               resumeState="false">
        <ResultCond name="ok" next="AuthDone"/>
        <ResultCond name="error" next="AuthError"/>
        <ResultCond name="failed" next="AuthError"/>
        <property name="fidoUafUsername" value="${sess:username}"/>
        <property name="fidoUafServerUrl" value="https://siven.ch:8443/nevisfido"/>
        <property name="httpclient.tls.truststoreRef" value="DefaultKeyStore"/>
    </AuthState>

  • If you employ a JSON based client, use a DirectResponseState AuthState as the AuthDone AuthState to make integration easier. For example, the AuthDone AuthState in the sample below will return a successful HTTP response with { "message" : "successful authentication" } as body:

    <AuthState name="AuthDone"
               class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState"
               final="true"
               resumeState="false">
        <Response value="AUTH_DONE"/>
        <property name="contentType" value="application/json"/>
        <property name="content" value="{&quot;message&quot;:&quot;successful authentication&quot;}"/>
        <property name="statusCode" value="200"/>
    </AuthState>

  • To use a FidoUafAuthState AuthState, configure the entry point of the related domain accordingly:

    <Domain name="FIDO_UAF_AUTHENTICATION" default="true"
            reauthInterval="0"
            inactiveInterval="1800">
        <Entry method="authenticate" state="FidoUafAuthState"/>
    </Domain>

  • Restart the nevisAuth instance.

General Considerations

The FIDO UAF AuthStates have been designed to interact with clients that are capable of handling JSON. They can be configured to take information from HTTP requests containing JSON as payload; the configuration allows to define the attribute names of the JSON payload (see details below).

If the AuthStates are configured to take JSON as input, it is required that the Content-Type header of the incoming HTTP request is set to application/json;charset=UTF-8.

The protocol between the HTTP client and nevisAuth is not exactly the same as the one interacting directly with nevisFIDO (this protocol is specified in the FIDO UAF HTTP API). For example when using the FIDO UAF AuthStates, nevisAuth is the one generating the GetUAFRequest that triggers the authentication process and sends it to nevisFIDO. Depending on the use case and on how nevisAuth is configured, the information required to generate this GetUAFRequest (the username and the transactions) may come from the HTTP client or not.

Last updated on