Skip to main content

Authentication Mode

Each service has a single variable that sets its authentication mode. When using non-STS modes, services can be set to different modes. When using STS mode for any service, configure STS for all services.

Security Warning

UNSAFE_NONE and UNSAFE_STATIC provide no tenant isolation or audit trails. Do not use in production.

Core

Set the authentication mode with app.auth.mode:

app:
  auth:
    mode: STS  # UNSAFE_NONE | UNSAFE_STATIC | STS

Static token

Also set app.auth.staticToken:

app:
  auth:
    mode: UNSAFE_STATIC
    staticToken: "your-token"

STS

Also configure the stsTokenValidation block:

app:
  auth:
    mode: STS
    stsTokenValidation:
      aud: one-core
      iss: "https://your-sts-host"
      jwksUri: "https://your-sts-host/.well-known/jwks.json"
      jwksRefreshAfter: 600
      jwksExpireAfter: 86400
      leeway: 60

WRPR and Bridge

WRPR and Bridge have identical configuration. Each service has two concerns: how it accepts incoming requests, and how it communicates with Core.

Inbound authentication

Set the authentication mode with auth.mode:

auth:
  mode: STS  # UNSAFE_NONE | UNSAFE_STATIC | STS

Static token

Also set auth.staticToken:

auth:
  mode: UNSAFE_STATIC
  staticToken: "your-token"

STS

Also configure the stsTokenValidation block:

auth:
  mode: STS
  stsTokenValidation:
    aud: one-wallet-relying-party-registry
    iss: "https://your-sts-host"
    ttlJwks: 600
    jwksUri: "https://your-sts-host/.well-known/jwks.json"

Outbound to Core

Set core.api.authentication to match Core's authentication mode:

core:
  api:
    authentication: STS  # UNSAFE_NONE | UNSAFE_STATIC | STS

If Core is using static token, also provide the token:

core:
  api:
    authentication: UNSAFE_STATIC
    staticToken: "your-token"

BFF

BFF always accepts inbound requests authenticated with an IAM token; this is not configurable. Configure how BFF communicates with each downstream service to match that service's authentication mode:

core:
  api:
    authentication: STS  # UNSAFE_NONE | UNSAFE_STATIC | STS

bridge:
  api:
    authentication: STS  # UNSAFE_NONE | UNSAFE_STATIC | STS

wrpr:
  api:
    authentication: STS  # UNSAFE_NONE | UNSAFE_STATIC | STS

If any service is using static token, also provide the token for that service:

core:
  api:
    authentication: UNSAFE_STATIC
    staticToken: "your-token"
Authentication and AuthorizationAuthentication architecture and STS mode in depth
Integrate OktaReference configuration for Okta as your IAM provider
Integrate KeycloakReference configuration for Keycloak as your IAM provider
Technical User DelegationSet up non-Core services to authenticate with your IAM as technical users