-
Notifications
You must be signed in to change notification settings - Fork 12
Authentication setup Facebook, Google, ID card, Mobiil ID, Smart ID
tiblu edited this page Aug 30, 2018
·
37 revisions
- Go to https://developers.facebook.com/
- Log in with your Facebook account
- Choose "My Apps -> Add New App"
- Fill the form and click "Create App ID"
- Pass the "not a robot test"
- From left side menu select "Settings" (https://developers.facebook.com/apps//settings/basic/) and fill all thats required in the form. BUT, special notes:
- "App ID" & "App Secret" - NOTE THOSE DOWN, needed later in CitizenOS configuration
- "Display name" - make sure it's meaningful. User sees it as "Would you like to share your data with
- "App domains" - your domain name without protocol ie "citizenos.myorganization.com"
- "App icon" - users will see this app icon, it's highly recommended that you have a good one that actually reflects your app. Do not leave it empty.
- Click on the "Products" (+) icon in the left side menu.
- In the "Add a Product" section choose "Facebook Login" by clicking "Set-up" button
- Select "Web" to start the setup, of which you just fill the first step:
- "Site URL" - Your website url which uses the login ie "citizenos.myorganization.com". NOTE: Don't forget to click "Save"
- Go straight to "Products -> Facebook Login -> Settings" in the left tree (https://developers.facebook.com/apps//fb-login/settings/)
- Fill in the "Valid OAuth Redirect URIs" - this needs to point to the public url CitizenOS API WITH the
/api/auth/facebook/callbacksuffix. For example:https://api.citizenos.myorganization.com/api/auth/facebook/callback. - Click "Save changes"
- From the top-right of the screen click the gray "OFF" toggle to "ON", the "Status" should say "Live".
- NOTE: If it does not light up green, it will probably let you know what parts of the configuration are missing.
- Find your Facebook "App ID" and "App Secret" that you noted down earlier (https://developers.facebook.com/apps//settings/basic/)
- Update API configuration (local.json):
"passport": {
"facebook": {
"clientId": "YOUR_FACEBOOK_APP_ID",
"clientSecret": "YOUR_FACEBOOK_APP_SECRET"
}
}
- Restart the server
- Test it out
Requirements:
- Contract with SK to DigiDocService - https://www.sk.ee/en/services/validity-confirmation-services/?service/validity_confirmation
- STATIC IP
You need:
- Contract with SK to DigiDocService - https://www.sk.ee/en/services/validity-confirmation-services/?service/validity_confirmation cause CitizenOS API will reques certificate information from DDS.
2 different setups depending if:
- You have static public IP
- You have dynamic public IP (you're in the cloud or something)
You need:
- Proxy to request client certificate for
POST /api/auth/id, which means you have to configure the SK root certificate bundle. - Proxy to write the certificate to
X-SSL-Client-Certrequest header - Proxy to pass the request downstream
- Create the SK ESTEID certificate bundle
wget https://sk.ee/upload/files/EE_Certification_Centre_Root_CA.pem.crt
wget https://sk.ee/upload/files/ESTEID-SK_2011.pem.crt
wget https://sk.ee/upload/files/ESTEID-SK_2015.pem.crt
cat EE_Certification_Centre_Root_CA.pem.crt ESTEID-SK_2011.pem.crt ESTEID-SK_2015.pem.crt > esteid_bundle.crt
- Nginx configuration to for client certificate
server {
listen 443;
server_name id.yourdomain.com;
ssl on;
ssl_certificate /your/secure/location/id.yourdomain.com.bundle.crt;
ssl_certificate_key /your/secure/location/d.yourdomain.com.key;
ssl_client_certificate /your/secure/location/esteid_bundle.crt; # generated esteid bundle
ssl_verify_client on;
ssl_session_cache off;
ssl_verify_depth 2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
location /api/auth/id {
expires -1;
proxy_pass http://api.yourdomain.com:3000; # CitizenOS API host and port
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-SSL-CLIENT-VERIFY $ssl_client_verify;
proxy_set_header X-SSL-CLIENT-CERT $ssl_client_cert;
}
location / {
return 444;
}
}
NOTE: To my knowledge Nginx does not support client certificate authentication configuration for single location, thus you need to have different server configuration.
More reading:
- Server configuration manual from SK - https://www.id.ee/index.php?id=35753
- Server configuration manual for Apache (EST) - https://wiki.itcollege.ee/index.php/ID_kaardiga_autentimine_Apache2_veebiserveriga
You need:
- A server, that has static IP. SK contract requires it to use their DigiDocService, there is no way out of it.
- You can either deploy whole app there OR just a micro service that does the client certificate authentication for you - https://github.com/citizenos/id-auth
- Proxy setup same as above - https://github.com/citizenos/citizenos-api/wiki/Mobiil-ID,-Smart-ID-and-ID-card-setup#example-for-on-nginx-configuration
- Configure
citizenos-apito use that service:
"services": {
"idCard": {
"serviceUrl": "https://dev.id.citizenos.com:3002/info",
"apiKey": "APIKEYFORMASSES"
}
}