Table of Contents

Security

API authentication

API access requires the user to be authenticated, excluding a few public endpoints. We can divide the sign in into two parts:

Authentication

Authentication is realized through a request filterchain. The filters must always follow specified behavior:

In reality there is only one authentication servlet filter - AuthenticationFilter. Others filters are Spring beans implementing IdmAuthenticationFilter interface. An exception in filters is the ExtendExpirationFilter, which is another servlet filter handling the extension of expiration date of JWT tokens. This filter also controls possible exceptions in authentication flow.

Authorization and JWT token

User authorization is checked on the API endpoint layer and enforced by Spring Security. The permissions are a part of IdM JWT:

All IdM JWT tokens are signed using HMAC256 algorithm. The symmetric encryption key is configuration property of CzechIdM, stored as "idm.sec.security.jwt.secret.token". Default expiration time is 10 minutes.

Backend of CzechIdM supports immediate detection of user's authorization change. Each modification type is implemented as application event processor, for further details please check the source code and tests :) The information about last authority change is kept in IdmAuthorityChange entity. Types of modifications:

Devel Guide