Table of Contents


Dictionary terms

API authentication

API access requires the user to be authenticated, excluding a few public endpoints. We can divide the sign in into two parts:


Authentication is implemented through a request filterchain. The filters must always follow specified behavior:

In reality there is only one authentication servlet filter - AuthenticationFilter. Others filters are Spring beans implementing IdmAuthenticationFilter interface. An exception in filters is the ExtendExpirationFilter, which is another servlet filter handling the extension of expiration date of JWT tokens. This filter also controls possible exceptions in authentication flow.

API endpoints

There are 2 endpoints for successful user login:

And one endpoint for user logout:

Implemented authentication filters

Filter do not check authorization or user's permissions, just validate the request data, transform these and pass them to Authentication Managers. There are following filters in IdM core (the core module):

Authorization and JWT token

User authorization is checked on the API endpoint layer and enforced by Spring Security. The content of IdM JWT:

All IdM JWT tokens are signed using HMAC256 algorithm. The symmetric encryption key is configuration property of CzechIdM, stored as "". Default token expiration time is 10 hours ( JWT tokens are persisted in database (IdmToken entity) with assigned authorities. When identity is logged out, token is disabled. Disabled and expired tokens are purged periodically by internal scheduled task.

Backend of CzechIdM supports immediate detection of user's authorization change. Each modification type is implemented as application event processor, for further details please check the source code and tests :) When user's authorization changes, then persisted tokens, which user owns, are disabled ⇒ user is logged out. Types of modifications:


TokenManager is used for creating IdM tokens. Token can be created for different purpose (token type). When token is used, can be disabled (e.g. logout, one time usage).

Token expiration extension

By default both frontend (FE) and backend (BE) automatically extend the expiration of IdM JWT. In case of successful GET request on API, the token expiration is extended on BE and passed in HTTP response (watch out for CORS, has to be explicitly allowed, since the HTTP header is called "CIDMST"). FE (RestApiService.js) automatically disassembles the response looking for auth. token. If token is present, it is set as new token which shall be used for new API requests (done in App.js). Expiration is extended in one minute window - when token has expiration at least one minute older than new one (prevent to persist token every api call).

Developer tip: do not trust the console, especially while working with promises:

static printHeadersOK(response) {
  console.log(response.headers.get('CIDMST')); prints header value

static printHeadersWRONG(response) {
  console.log(response.headers); // prints '{}', object looks empty

Switch user - login as other user

@since 10.5.0

User with authority IDENTITY_SWITCHUSER can login as different user. Feature is usable for checking application behavior under selected user (e.g. helpdesk). Logged user needs to have permission SWITCHUSER to select target user. Feature is available from user main menu in application - any other active user can be selected and currently logged user will be logged as selected used.

Currently logged user token (see above) is filled with selected user authorities - original user is preserved as token owner. Return back (logout) to originally logged user is available from user main menu too.

Enforce password change

@since 10.5.0

When password is reseted (or generated), then password change can be enforced, after the first password usage (after the first user login). User is redirected to password change form and password has to be changed before user can continue to work with application.

Flag for enforce password change can be filled by project processors (see password change, reset and generate events) or by GUI (flag added to password detail).


SSO support on FE is implemented by issuing the internal IdM JWT without the need to type in user's credentials. This is done by sending a "prerequest" onto secured /authentication/remote-auth endpoint, accessible only to authenticated users. The authentication itself must be done in one of auth filters.

We expect either HTTP header or Cookie to be the bearer of the remote authentication data. When the user accesses IdM, FE first tries to sign him in using the remote-auth. The remote-auth attempt is done only on first access to CzechIdM, token expiration, authority change or user login.

SSO authentication to AD domain can be configured with the help of SsoIdmAuthenticationFilter and Apache web server, which is installed in front of IdM. For more details about SSO configuration see SSO install guide.

Two-factor authentication

@since 10.7.0

Feature is available from user profile (user main menu) in application. Two-factor authentication is optional and can be enabled from user profile:

After user sign in to CzechIdM using username and password, user will be prompted to provide an authentication code from a text message (notification) or from TOTP application. CzechIdM will only ask to provide two-factor authentication code again if user have logged out, is using a new device, or user session expires.

Supported methods to get authentication code:

The first authentication code obtained by selected method is needed to enable using two-factor authentication:

HTTP Basic authentication cannot be used with two-factor authentication enabled.
SSO (e.g. remote user) can be used with two-factor authentication enabled. After user is logged in by sso, user will be prompted to provide an authentication code from a text message (notification) or from TOTP application.
Password change is enforced after two-factor authentication code is entered. After password is changed, then user will be prompted to provide an authentication code again to sign in.
Recovery codes are not provided. E.g. when user lost his device with configured TOTP aplication, then helpdesk user can help him to reset his authentication method with switch user feature usage.


Basic configuration is available by application properties.

Advanced: Is possible to change default SHA1 hashing algoritm (~provide different hashing algorithm as spring bean) and default 6-digit verification code length (~change frontend localization) programatically.