Authentication setup Facebook, Google, ID card, Mobiil ID, Smart ID

WORK IN PROGRESS!

Facebook

Facebook App configuration

• Log in to https://developers.facebook.com/
• Choose "My Apps -> Add New App"
• Fill the form and click "Create App ID"
• Pass the "not a robot test"
• From left side menu select "Settings" (https://developers.facebook.com/apps/YOUR_FACEBOOK_APP_ID/settings/basic/) and fill all thats required in the form. BUT, special notes:
  • "App ID" & "App Secret" - NOTE THOSE DOWN, needed later in CitizenOS configuration
  • "Display name" - make sure it's meaningful. User sees it as "Would you like to share your data with DISPLAY_NAME?"
  • "App domains" - your domain name without protocol ie "citizenos.myorganization.com"
  • "App icon" - users will see this app icon, it's highly recommended that you have a good one that actually reflects your app. Do not leave it empty.
• Click on the "Products" (+) icon in the left side menu.
• In the "Add a Product" section choose "Facebook Login" by clicking "Set-up" button
• Select "Web" to start the setup, of which you just fill the first step:
  • "Site URL" - Your website url which uses the login ie "citizenos.myorganization.com". NOTE: Don't forget to click "Save"
• Go straight to "Products -> Facebook Login -> Settings" in the left tree (https://developers.facebook.com/apps/YOUR_FACEBOOK_APP_ID/fb-login/settings/)
• Fill in the "Valid OAuth Redirect URIs" - this needs to point to your instance of CitizenOS API WITH the /api/auth/facebook/callback suffix. For example: https://api.citizenos.myorganization.com/api/auth/facebook/callback.
• Click "Save changes"
• From the top-right of the screen click the gray "OFF" toggle to "ON", the "Status" should say "Live".
  • NOTE: If it does not light up green, it will probably let you know what parts of the configuration are missing.

CitizenOS API configuration

• Find your Facebook "App ID" and "App Secret" that you noted down earlier (https://developers.facebook.com/apps/YOUR_FACEBOOK_APP_ID/settings/basic/)
• Update API configuration (local.json):

  "passport": {
    "facebook": {
      "clientId": "YOUR_FACEBOOK_APP_ID",
      "clientSecret": "YOUR_FACEBOOK_APP_SECRET"
    }
  }

• Restart the server
• Test it out

Google

Google OAuth 2.0 credentials setup

• Log in to https://console.developers.google.com/projectcreate
• Fill the "Project name" and save.
• Select your project from the "Select a project" dropdown
• Click the "-> Go to APIs overview" from the "APIs" section.
• Click "Credentials" from the left side menu.
• Click "OAuth consent screen" tab from the right and fill the form.
• Go to "Credentials" and choose "Create credentials -> OAuth client ID"
• Choose "Web application" as application type and fill the form:
  • "Name" - name that describes it well. For example "CitizenOS Google Auth PRODUCTION"
  • "Authorized JavaScript origins" - NOT NEEDED, there are no browser requests directly to Google domain, all requests are from CitizenOS API
  • "Authorized redirect URIs" - this needs to point to your instance of CitizenOS API WITH the /api/auth/google/callback suffix. For example: https://api.citizenos.myorganization.com/api/auth/google/callback.
• Click "Create" and in a popup you should see "Here is your client ID" (ie LOTSOFCHARS.apps.googleusercontent.com) and "Here is your client secret" (ie LOTSOFCHARS). Note those down to add them to CitizenOS API configuration.

CitizenOS API configuration

Mobiil-ID

Production

Requirements:

• Contract with SK to DigiDocService - https://www.sk.ee/en/services/validity-confirmation-services/?service/validity_confirmation
• STATIC IP

Testing / Development

Smart-ID

ID-card

You need:

• Contract with SK to DigiDocService - https://www.sk.ee/en/services/validity-confirmation-services/?service/validity_confirmation cause CitizenOS API will reques certificate information from DDS.

2 different setups depending if:

• You have static public IP
• You have dynamic public IP (you're in the cloud or something)

You have static public IP

You need:

• Proxy to request client certificate for POST /api/auth/id, which means you have to configure the SK root certificate bundle.
• Proxy to write the certificate to X-SSL-Client-Cert request header
• Proxy to pass the request downstream

Example for on Nginx configuration

• Create the SK ESTEID certificate bundle

wget https://sk.ee/upload/files/EE_Certification_Centre_Root_CA.pem.crt                                      
wget https://sk.ee/upload/files/ESTEID-SK_2011.pem.crt
wget https://sk.ee/upload/files/ESTEID-SK_2015.pem.crt
cat EE_Certification_Centre_Root_CA.pem.crt ESTEID-SK_2011.pem.crt ESTEID-SK_2015.pem.crt > esteid_bundle.crt

• Nginx configuration to for client certificate

server {
    listen 443;
    server_name id.yourdomain.com;

    ssl on;
    ssl_certificate /your/secure/location/id.yourdomain.com.bundle.crt;
    ssl_certificate_key /your/secure/location/d.yourdomain.com.key;
    ssl_client_certificate /your/secure/location/esteid_bundle.crt; # generated esteid bundle
    ssl_verify_client on;
    ssl_session_cache off;
    ssl_verify_depth 2;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    location /api/auth/id {
            expires -1;
            proxy_pass http://api.yourdomain.com:3000; # CitizenOS API host and port
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-SSL-CLIENT-VERIFY $ssl_client_verify;
            proxy_set_header X-SSL-CLIENT-CERT $ssl_client_cert;
    }

    location / {
        return 444;
    }
}

NOTE: To my knowledge Nginx does not support client certificate authentication configuration for single location, thus you need to have different server configuration.

More reading:

• Server configuration manual from SK - https://www.id.ee/index.php?id=35753
• Server configuration manual for Apache (EST) - https://wiki.itcollege.ee/index.php/ID_kaardiga_autentimine_Apache2_veebiserveriga

You have dynamic public IP (you're in the cloud or something)

You need:

• A server, that has static IP. SK contract requires it to use their DigiDocService, there is no way out of it.
• You can either deploy whole app there OR just a micro service that does the client certificate authentication for you - https://github.com/citizenos/id-auth
• Proxy setup same as above - https://github.com/citizenos/citizenos-api/wiki/Mobiil-ID,-Smart-ID-and-ID-card-setup#example-for-on-nginx-configuration
• Configure citizenos-api to use that service:

  "services": {
    "idCard": {
      "serviceUrl": "https://dev.id.citizenos.com:3002/info",
      "apiKey": "APIKEYFORMASSES"
    }
  }