1 of 50

Naviga ID

Introduction

Naviga ID (formerly IMID) is Naviga's SSO (Single Sign-on) authentication and authorization service for all content creation tools. Built on the industry standard of JSON Web Token, Naviga ID integrates with organization's existing identity provider using OpenID Connect. OpenID Connect ensures compatibility with all major identity providers such as Google, Facebook, Azure AD and many more.

Naviga ID also supports the OAuth2 standard Client Credentials which is used to obtain access tokens for machine-to-machine communication scenarios, such as import and export of material to and from Naviga's content services.

Architecture

Authorization schema

Introduction

Naviga ID has a role based authorization schema. Each role in Naviga ID corresponds to one or more permissions. Roles are set up by Naviga.

When a user logs into Naviga ID, the groups a user belongs to in the organization's identity provider are imported into Naviga ID.

Via Naviga ID's Admin service, organization administrators can configure the mappings between org groups and one or more service roles. Mappings can also include a unit, and will in that case limit the resolved permissions to only be applied to that unit. A unit can be viewed as a sub-organization within an organization. A mapping can also be created without including a unit, in that case the resulting permissions will be global for the organization, meaning they are valid in all units.

Organization

Every user belongs to an organization, for example "the media group".

The name of the organization is also part of your Dashboard domain name (for example https://mediagroup.dashboard.infomaker.io)‌

Use case Content Creation: Content access can be based, depending on your needs, to have everything open to the entire organization or be based on unites (see below). Some rights are also role based, such as publish flow possibilities (from Writer 6.0).

In some Dashboard applications, it is also possible to share specified content with the entire organization. This way it is possible to make concepts available to everyone, or only specific units. As a user creates or modifies content, that content is automatically labelled with the user organization.

Unit

A unit is defined by the publication that the user is part of, for example "South News" or "North News" within the organization.

‌‌Use case Content Creation: Content access is based on all the user units. For example in an application such as Dashboard Article Search, a user that belongs to two units will see articles from both these units (filtering using suggest search on channels or units possible with configuration).

Access control is unit wide which means that everyone within a unit can see the same content, and everyone with the right to edit content can edit all content within a unit.

A user can belong to one or many units, but only one unit can be "active" at the time. As a user creates content, that content is automatically "labelled" with the active unit. In our recommended setup, this will also make the content access right set to that unit. If a user modifies content, the object will contain this information but the access right will not be modified.

With some Dashboard applications it is also possible to share content with all or any of the units the user belongs to.

It is also good to know that all Dashboard configurations are made per unit (installed and available apps, specific app configuration, workspaces etc).

Group

A group is defined by the working task that people are working with in the organization, for example reporters, editors etc. Groups are configured in the organization's identity provider.

Service Roles

Service Roles define the privileges for a specified service, for example what a Dashboard user can do. It could be power user, admin or read-only mode etc. Service Roles are global roles and defined by Naviga.

How roles are used is configured by your administrator: who can create, edit and delete concepts, who can create and edit lists, who can plan articles within the Publication Planner.

Use case Content Creation: In addition to defining privileges to specific functions, roles can also be used for setting workflow statuses (from Writer 6.0). This means that it is possible to allow internal journalists to publish without prior approval but contributors cannot publish directly for example. These workflow steps are fully customizable.

Service roles are not used for content access control.

Below is a schematic sketch of the difference between groups and service roles.

Integrations

Customer Integration

Integration of an Identity Provider in Naviga ID using OpenID Connect requires some setup in the Identity Provider. Here you can find instructions for the most common providers and how to configure them to support Naviga ID.

Microsoft Azure

This document describes how to integrate Microsoft Azure using OpenID Connect with Naviga ID.

Prerequisites

The following steps in this document requires that you have a working Active Directory within Microsoft Azure. It can be a federation with a local Active Directory or your main Active Directory. Read more about how to Deploying Active Directory Federation Services in Azure

Google G Suite

This document describes how to integrate Google G Suite using OpenID Connect with Naviga ID.

Prerequisites

The following steps in this document requires that you have a working G Suite directory .

Custom Identity Provider

This document describes how to integrate a custom Identity Provider using OpenID Connect with Naviga ID.

Prerequisites

The party that wished to integrate with Naviga Login must have an identity provider compatible with the OpenID Connect 1.0 Core specification.

Specifically, the identity provider must support the OpenID Connect Authorization Code Flow.

Information for Infomaker

Information we need to integrate your OIDC application:

URL to your (.well-known/openid-configuration)
Client ID
Client secret

Information for the integrating party

Allowed callback URLs

The following URLs must be added to the integrating party’s Whitelisted Callback URLs or equivalent:

Allowed web origins

The following URLs must be added to the integrating party’s Allowed Web Origins or equivalent:

Moving to a New Identity Provider

Retaining subject IDs in Naviga ID

Moving to a new identity provider will, most of the time, involve a new subject ID for the user, resulting in a new subject ID in Naviga ID as well. To retain the users Naviga ID subject ID, the http://infomaker.io/originalSubject claim can be added to the organization token. This claim should consist of the subject ID the user had in the previous identity provider.

When encountering the http://infomaker.io/originalSubject claim, Naviga ID will replace the previous subject ID stored internally with the subject ID found in the sub

Service Integration

IMSG and headers

Headers added by IMSG

Header

Description

Removed by SAL

authorization

Contains the service token.

Yes

Any headers not in the list will be forwarded to the service unmodified.

Services

Admin API

Routes

Health

/health

GET https://admin-api.imid.infomaker.io/v1/health

Health

Path Parameters

Name

Type

Description

IMSG

Routes

Imsg-service

/imsg-service/v1/callback

GET https://[SERVICE URL].com/imsg-service/v1/callback

Callback from IMAS login

Shared modules

Http Test Server

HttpTestServer

HttpTestServer{#HttpTestServer}

Http server to help the systemtest visualize http calls.

new HttpTestServer(params)

Param

Type

Description

start()

Start the http server.

Listening on specified port.

stop()

Stop the Http server.

Checks if there are any http calls left to respond to or endpoints waiting for calls, responds to these endpoints and then stops the server.

Throws errror if there are leftover calls not handled before shutdown.

getServerHost() {#getServerHost}⇒ `string`

Gets the server host.

Returns: string - networkInterfaceAddress - A string with the address for the eth0 network

waitForCall(endpoint, [params]) {#waitForCall}⇒ `Promise.<Object>`

Gets an endpoint to handle. Checks if an endpoint is waiting for an answer and resolves an answer to it.

Or puts the endpoint on a queue to be handled when a request for that endpoints comes in.

Returns: Promise.<Object> - Promise object represents the object with resolve, reject and params to resolve the incoming http call

Param

Type

Default

Description

onHttpCall(request, response) {#onHttpCall}⇒ `Promise.<Object>` | `void`

Handles all incoming Http calls

Either puts the request on queue to be handled or responds with data.

Returns: Promise.<Object> | void - Promise object represents an object with the data from the request or, returns void and puts the request in queue.

Param

Type

Description

Service Authorization Lib

ExpressMiddleware

ExpressMiddleware{#ExpressMiddleware}

ServiceAuthorizationMiddleware{#ServiceAuthorizationMiddleware}

ServiceAuthorizationMiddleware

Hapi plugin

ServiceAuthorizationError

new ServiceAuthorizationError(args)

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ `Object`

Reply function to respond with the error

Returns: Object - Response - Response object

AccessDenied

AccessDenied⇐ `ServiceAuthorizationError`

AccessDenied Error - extending the ServiceAuthorizationError error class

PublicMessage is set to 'Access denied' and the HttpCode is set to '403'.

Thrown when a users credentials does not match the requested endpoints credentials.

Extends: ServiceAuthorizationError

new AccessDenied(publicData, internalData)

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ `Object`

Reply function to respond with the error

Overrides: ServiceAuthorizationError#hapiReply Returns: Object - Response - Response object

Unauthorized

Unauthorized⇐ `ServiceAuthorizationError`

Unauthorized - extending the ServiceAuthorizationError error class

PublicMessage is set to 'Unauthorized' and the HttpCode is set to '401'.

Thrown when a user tries to request an endpoint with no access to it.

Extends: ServiceAuthorizationError

ConfigError

ConfigError⇐ `ServiceAuthorizationError`

ConfigError - extending the ServiceAuthorizationError error class

PublicMessage is set to 'Internal Server Error' and the HttpCode is set to '500'.

Thrown when building config variables while authorize.

Extends: ServiceAuthorizationError

new ConfigError(publicData, internalData)

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ `Object`

Reply function to respond with the error

Overrides: ServiceAuthorizationError#hapiReply Returns: Object - Response - Response object

Client Credentials

Access Token

Validate Access Tokens

When using IMSG

For services hosted behind an IMSG, nothing needs to be done. The IMSG does already support access tokens. The IMSG will take care of validating the access token and create a service token, just as if the API was accessed with an ID token.

Validate without IMSG

Authentication

Authentication means being sure of who the caller is

The steps required to ensure an access token is valid are the following:

Ensure ntt (Naviga Token Type) claim in the access token payload equals access_token
Read the kid (key id) from the access token header.
Fetch the corresponding public key from for stage env or for production env.

It's important that server clock is synchronized, if not, the application might accept tokens that have expired.

The keys published on /jwkscan, and should, be cached for up to 10 min in the application.

Note, a token with a kid that does not exist in a cached /jwks might still be a valid token. It might be that a new key has been published but not yet fetched by the application. For that reason, the application should re-fetch the /jwks (once) if an unknown kid appears.

Similarly, a key might be revoked at any time, so never cache /jwks for more than 10min. If /jwks is cached for a longer period of time, tokens with invalidated kid/signature can appear to be valid when they are not.

Authorization

Authorization means knowing what actions the caller is allowed to do

Permissions are included as described by the payload below. Permission strings are on the format service_name:permission_name. Permissions in the permissions.org array should are valid in all units while permissions in permissions.units[unit_name] array is only valid in that specific unit.

More information about Naviga ID's permission model can be found on the page.

The Access Token payload is as follows:

Local development

Post Mortem

Broken backwards compatibility in access token service for client credentials, 20th Dec 2021

All timestamps are in UTC

Summary

When a new release of the Naviga ID access token service was deployed to production on Dec 20th, it broke backwards compatibility for the scope parameter in the fetch token endpoint when using client credentials. Previously the scope parameter had been ignored, but in the new version it was not. This caused clients that set the scope parameter to anything other than an empty string to fail to fetch tokens.

Release notes

Access Token: 2.5.0

2022-09-09

Add scopes to filter access token permissions
- permission-filter-include-org
- permission-filter-include-unit:{unitName}

See for details.

IMSG: 17.8.3

2022-09-09

Upgrade internal dependencies

IMSG: 17.8.2

2022-06-28

Upgrade internal dependencies

Access Token: 2.4.2

2022-06-28

Upgrade internal dependencies

IMSG: 17.8.1

2022-06-22

Upgrade internal dependencies

Access Token: 2.4.1

2022-06-22

Upgrade internal dependencies

Access Token: 2.4.0

2022-06-16

Wildcard unit scope puts permissions into units if not allowed in org

Consider the following permissions:

Before this update, requesting a token with scope permission:*:writer:access would result in an error since writer:access is not present in the org permissions.

Now, requesting the same scope will result in the following permissions:

Access Token: 2.3.0

2022-04-28

Cache private keys to avoid exceeding SSM limit

IMSG: 17.8.0

2022-03-28

Default to less strict validation of cookie payload

Hapi, the web server framework used by IMSG, defaults to a strict validation of cookies according to rfc6265 (). This includes not allowing raw JSON as the cookie value. With this change, a less strict validation of cookies will be the default behaviour.

This will solve issues caused by other services setting cookies on or that do not adhere to rfc6265. The less strict validation is the default behaviour of most other servers as well as all major browsers.

Environment variable changes

This can be overridden by setting env variable STRICT_COOKIE_MODE to true.

IMSG: 17.7.1

2022-03-28

Internal maintenance

IMSG: 17.7.0

2022-03-28

For access tokens, use the permissions claim in the token instead of resolving permissions based on groups

There are two different kind of tokens in Naviga ID that can be used to access services behind an IMSG reverse proxy.

When you log in to CCT in the browser, an ID token (sometimes called session token) is stored as a cookie in your browser. This token does not hold any permissions. Instead, the groups that you belong to are stored in the token. When you access a CCT service, the IMSG will translate the groups into permissions (based on the current latest organization configuration). The permissions are then forwarded to the service.

The second type of token is access tokens. Access-tokens are fetched from the access token service using either an ID-token or client credentials. When an access token is created, it is populated with the resolved permissions from the start. Hence there’s no need for IMSG to try to resolve them again.

Up until this release, IMSG ignored any permission claim the access tokens and only used the list of groups to resolve the permissions. With this change in place, IMSG will always use the permissions claim in access tokens and forward those permissions to the service.

IMSG: 17.6.1

2021-05-07

Internal maintenance release. No changes to service.

IMSG: 17.6.0

2021-05-07

Upgrade of Node from 10 to 14.
Upgrade of dependencies

Access Token: 1.4.0

2021-03-01

Access tokens obtained through client credentials are now counted as internal access in the billing API

IMSG: 17.5.1

2021-02-04

Bugfix: validate IMSG service callback against correct cookie domain when using full URL in service callback

IMSG: 17.5.0

2021-01-29

Support for allowing any headers during CORS requests

IMSG can now allow any headers in CORS requests. Enabling this feature reflect the value of access-control-request-headers into the response access-control-allow-headers. Use with care.

Environment variable changes

CORS_ALLOW_ANY_HEADERS has been added. Set to true to enable.

IMSG: 17.4.0

2021-01-20

Support for multiple domains

IMSG can now serve and set cookies on multiple domains. To enable multiple domains, set the IMID_COOKIE_DOMAINS environment variable to the domains you want to access IMSG on.

ex. IMID_COOKIE_DOMAINS="infomaker.io, navigacloud.com"

Environment variable changes

IMID_COOKIE_DOMAIN has changed name to IMID_COOKIE_DOMAINS and changed type from sting to CSV. The legacy name will continue to be supported.

IMSG: 17.3.0

2020-12-17

Legacy mode feature flag for units

IMSG now supports a legacy mode where only units with explicit permission mappings are included in the service token. This is required for the current version of the unit-selector (in writer and dashboard) to function properly. To enable legacy mode, set the "short-and-to-the-point" env variable LEGACY_MODE_ONLY_INCLUDE_UNITS_WITH_EXPLICITLY_MAPPED_PERMISSIONS_IN_SERVICE_TOKEN to true.

Security fix

The redirect option in the /callback endpoint now only accepts full URLs if the URL is hosted under the cookie domain env variable ( or )

Preparations for improved refresh flow

IMSG now supports the rta (refresh token after) claim which soon will be included in all ID-tokens (browser cookie tokens). The rta claim is the future way to centrally control when refresh is to be performed. Refresh backoff support. In certain situations when an IMSG is unable to refresh a token after rta has passed, or if IMAS responds with a 429 status code during refresh, IMSG will backoff and not try to refresh the token for a given time period. The other parts of the new refresh flow is implemented in IMAS and will be deployed starting January 2021. The changes will be rolled out in three steps, as described below.

The ID-token's exp (expiry) claim will be increased to several days (from today's 1h). This means that as long as the user is logged in to Naviga ID, they will continue to be so even if their organization's IdProvider goes down. This would for example have minimized the impact of Google's outage the other day quite a bit.
Refresh of ID-tokens will be limited to once per token. This is the current expected behavior, so there won't be any impacts for users in all normal scenarios. However, in the event that an ID-token is stolen from a user, we can identify that if more than one refresh is triggered. In the initial roll out, the only action taken is to log and alarm. When we are confident we have no false-positives, we'll deploy step 3.
If a token is used for refresh more than once, we will invalidate all issued tokens for that user. This will lead to both the legitimate user and the intruder to be logged out from Naviga ID. The legitimate user will be able log in again while the intruder no longer has access.

Access Token: 1.3.0

2020-12-15

Internal access tokens now have an ntt claim of internal_access_token

Access Token: 1.2.0

2020-10-12

Cache client credentials

Admin App: 1.2.0

2020-10-12

Make deploy environment configurable via environment variable

IMSG: 17.2.0

2020-09-11

Pre-expire refresh of tokens. Tokens will now be refreshed around 10 minutes before they expire.
New /v1/units endpoint to fetch all units a user belongs to. The response contains the unit display names.

IMSG 17.2.1 (2020-10-12)

IMSG now handles userinfo from access tokens correctly, fixing a bug where service tokens would contain no userinfo

Admin App 1.1.0

2020-09-11

Add missing config options for Azure LFE
- useFullGroupsEndpoint
- useTransitiveGroupMemberships

Admin API 19.2.0

2020-09-11

Two new endpoints for import/export of organization units and group mappings. See for details.
- GET /v1/organizations.export
- POST /v1/organizations.import

Admin API 19.2.1 (2020-10-12)

Fix bug where only admins could create credentials for organization applications

IMSG 17.1.0

2020-08-21

All organization units are now included in the service token whether the user has any permissions in it or not. Units the user does not belong to will have no permissions in it.

IMSG 17.1.1 (2020-08-21)

Dependency upgrades

IMSG 17.0.0

2020-05-07

Remove old M2M support

IMSG 17.0.1 (2020-05-12)

Dependency downgrades

SAL 5.6.0

2020-03-02

No longer requires environment variables IM_LOG_LEVEL and IM_LOG_NAME.
Log level will default to info and log name to Log name not set

IMSG 16.8.0

2020-03-02

No longer counts internal users towards billable users
Subjects with the first name Naviga will be tagged as internal access.

IMSG 16.7.0

2020-03-02

New env variables ONLY_ACCEPT_ID_TOKENS, INCLUDE_GROUPS_IN_SERVICE_TOKEN
New login url /v1/login with org and callback as query params

TokenUtils

Param

Type

getOrgPermissions(request) {#getOrgPermissions}⇒ `Array.<String>`

Get the subject's organization permissions

Organization permissions are located under permissions.org

Returns: Array.<String> - } permissions - The subject's org permissions

Param

Type

getUnitPermissions(request, unit) {#getUnitPermissions}⇒ `Array.<String>`

Get the subject's permissions for the specified unit

Unit permissions are located under permissions.units[unit]

Returns: Array.<String> - permissions - The subject's permissions for the specified unit

Param

Type

Description

isServiceAdmin(request) {#isServiceAdmin}⇒ `Boolean`

Checks if a token belogs to an admin for the service

Returns: Boolean - isServiceAdmin - True if the token belongs to an admin for the service

Param

Type

getUserinfo(request) {#getUserinfo}⇒ `Object`

Get the subject's userinfo

Returns: Object - userinfo - The userinfo object set on the subject

Param

Type

Managing Applications

Organizational applications represents customer applications that need to authenticate on their own behalf to perform actions using Naviga Content tools and APIs. Common use cases are machine to machine operations such as import or export of content to and from CCA and OC.

Organizational applications identify themselves using client credentials, which consists of client_id and client_secret, comparable to username and password. The client credentials are used to fetch an access token, which in turn is used for authentication when accessing Naviga Content tools and APIs. Both client credentials and access tokens are part of the OAuth2 specification.

This page describes how to create and manage organizational applications and related credentials in Naviga ID. For instructions on how to actually use client credentials to fetch access tokens and access APIs, see Fetching and using Access Tokens.

Creating an application

As of December 2021, the Admin App that is used to manage Naviga ID configuration does not yet support managing applications and client credentials. However, the Admin API does support all required operations.

The full API for managing applications and credentials are available at the .

To create applications, the role imid:admin is required. Auth can be either an ID-Token or Access-Token, either as cookie or in the Authorization HTTP header as Bearer token.

To create an application, you'll need the organization id, not the name. The organization id can be seen in the URL when configuring an organization in the Admin App at https://admin.stage.imid.infomaker.io

There are two ways to define the permissions an application should have. The legacy way by using groups, and the recommended way of using scopes.

Specifying permissions using `scopes`

Scopes are simply string representations of roles and permissions that includes information if the role or permission is valid in a specific unit or the entire organization.

By using scopes to define what an application is allowed to do, all "group-to-role" mappings in Naviga ID are bypassed. So instead of using an intermediate format and config, the roles and permission that an application are allowed to assume is defined directly in the application itself on creation (can be updated).

Another benefit with scopes is that they are also used when fetching access tokens. This enables fetching of tokens with a subset of the permissions an application is allowed to assume which greatly limits the implications if an access-token would be shared or leaked. To learn more about this, go to the page.

All scopes have the following format

["permission"|"role"]:[unitName|"*"]:[serviceName]:[entityName]

Below are example of the allowed type of scopes when creating applications

Example scope

Description

To use multiple scopes, simply create a space separated list of them as the example below.

To create an application, you'll need the organization Id, the name you want to give the application, a description as well as the scopes that you wish to give the application.

To create an application, use the /v1/organizationApplications.create in the Admin API. The scopes that define roles and permissions that the applicatin can assume should be entered in the allowedScopes payload parameter. See the .

In the response you'll get the id of the application (client_id) as well as one initialclient_secret that you'll need to . To enable easy rotation of secrets, Naviga ID supports multiple client_secret per application. For more details, see the lower down on this page.

Specifying permissions using `groups`

This method is no longer recommended. Instead, please use scopes as described in the step. With scopes, the application owns the configuration and can also fetch access-tokens that only hold a subset of permissions that an application is allowed to take.

To create an application with permissions based on groups, you'll first need the organization Id, the name you want to give the application, a description as well as the groups that you wish the application to belong to. The groups you define will be used to map roles/units according to the organization's configuration in Admin App.

To create an application, use the /v1/organizationApplications.create in the Admin API. See the .

In the response you'll get the id of the application (client_id) as well as one initialclient_secret that you'll need to . Naviga ID supports multiple client_secret per application, to enable easy rotation of secrets. For more details, see the lower down on this page..

Rotation of credentials (client_secret)

Credentials can, and should be rotated in defined intervals for security reasons.

To enable easy rotation of client_secret, Naviga ID Organizational Applications support multiple credentials. That way, it's possible to rotate credential with zero downtime in services by creating a new credential for the application and updating all places where the old credential is used before removing it from Naviga ID.

See the Admin API documentation on for details on how to find the id of the current credential, create a new credential and delete the old credential.

Use client credentials to access Naviga Services

See .

Local HTTPS support

How to enable local development with HTTPS support

Naviga ID does not allow the ID-token cookie to be included in requests over unencrypted connections. Therefore, local SSL support is required to have locally hosted web applications make use of the Naviga ID cookie.

For this to work, a couple of things are needed

A locally running HTTP service
A locally installed root-certificate that can be used to generate custom certificates
A local proxy that handles the SSL handshake and encryption/decryption and also proxy the request to the local HTTP service
At least one ...local.infomaker.io entry in /etc/hosts that points to 127.0.0.1

Almost all web backends support SSL termination. However, since we always use ALB, API Gateway, or CloudFront for SSL termination in our hosted services, it's better to mimic that setup with a proxy locally as well. That way, no code change is required for your service.

Let's get started!

1. Start a demo http-server

For simplicity and to ensure that anyone can use this guide, a simple demo server is used instead of an actual Naviga service. At the end of the guide, there's a description of what you need to change to run one (or more) "real" services locally with HTTPS support.

To start the demo server, open a terminal and run the following command

Let the application run and open your browser and verify that returns a test page.

Looks good? Great!

2. Install and run mkcert

Next, let's install the tool that will help us generate and install root and service certificates. Go to and follow the installation instructions for your OS.

Once installed, execute the following steps to generate your first certificate.

3. Install and configure Caddy as reversed proxy

The next step is to install the proxy server to use for the SSL termination. Go to and follow the instructions for your OS.

Next, create a file called ~/Caddyfile in your home directory. Use the example below as a template but make sure to replace the name in the path to the certificates (/home/jacob/certificates/...) with the name of your home dir.

There are two instances on line 3 where the name must be replaced

Once done, run the following commands

4. Configure /etc/hosts to map domain name to localhost

The last step to tie it all together is to update your local hosts file with an entry that tells your browsers and applications that demo.local.infomaker.io is hosted on your own machine and not online somewhere. We use the same domain name as in the ~/Caddyfile and add it to /etc/hosts as below

5. Profit!

If you open your browser and go to you should be greeted with the same test page as before, but this time with a locked padlock to the left or the URL bar and no errors about an unsecured connection.

6. Optional: Run multiple services

To add more services, simply duplicate the current entry in the ~/Caddyfile and update the following parts:

The domain name. Change demo to whatever name you want to use for your service
The local port. Change localhost:8888 to match the port your application is bound to.

Save the file and reload the Caddy config

Finally, add an entry in /etc/hosts that matches the domain you added in ~/Caddyfile

Gotchas

Some frameworks (such as Node) have their own trust-store. In that case, the root certificate must be added there as well. If not added, any requests from node to will fail since the root certificate from mkcert is not trusted.

For node, make sure you have the following environment variable set.

If you're using Docker, you must also mount the rootCA.pem file inside docker, and use the NODE_EXTRA_CA_CERTS to point the location inside docker.

Description

Fetching and using Access Tokens

Introduction

Access tokens are short lived JWT tokens that can identify either a user or an application. For an introduction to the JWT standard, see https://jwt.io/introduction.

Because the tokens are short lived and since they can not be refreshed on their own, the verification of them are simpler than compared to ID-tokens. This means that they can be validated without the need for an IMSG reverse proxy.

This document describes how to fetch and use Naviga ID access tokens.

The links in these instructions point to the stage environment. To access the production systems, simply remove .stage from all URLs. For example: Stage Access-Token Service: Prod Access-Token Service:

Fetch access tokens

There are two ways to authenticate to retrieve an access token, either as a user or as an application.

Locally cache and reuse Access Tokens for as long as they are valid (i.e. not expired). Do not fetch a new access token for each request you perform to a service API such as CCA or OC.

Fetch access-token as logged in user

As a logged in user, using ID-token

POST https://access-token.stage.imid.infomaker.io/v1/token

Choose ONE of the available ways to include the ID-token in the request.

Query Parameters

Name

Type

Description

Headers

Name

Type

Description

Groups are only included in the access token if they have a "group to role"-mapping setup in Naviga ID Login.

Fetch a scoped access-token as logged in user

As a logged in user, using ID-token

POST https://access-token.stage.imid.infomaker.io/v1/token

Choose ONE of the available ways to include the ID-token in the request.

Query Parameters

Name

Type

Description

Headers

Name

Type

Description

Request Body

Name

Type

Description

Groups are only included in the access token if they have a "group to role"-mapping setup in Naviga ID Login.

See for an example on how to use scopes.

Fetch access-token as application (using client credentials)

If you haven't yet created an application in Naviga ID, se the page and follow the instructions there.

As an application, using client credentials

POST https://access-token.stage.imid.infomaker.io/v1/token

Both JSON and form data are supported payload formats.

Request Body

Name

Type

Description

Fetching access-tokens as application configured using scopes

To use scopes, the application must have been configured with allowedScopes when created (and not using groups). If that is not the case, you can either modify the application by removing the groups and add allowedScopes, or simply create a new application.

When fetching a token, in the scope field, specify the scopes that you wish to include in the token. If you specify more inclusive scopes than what is definied in the allowedScopes for your application, the req will fail. If you specify invalid scopes, such as with unit, service, role or pemission that does not exists in Naviga ID, the req will fail.

All scopes have the following format

["permission"|"role"]:[unitName|"*"]:[serviceName]:[entityName]

Below is a list of examples of scopes

Scope

Description

Fetching access-token as application configured using groups

Note that group-based applications are our legacy way of configuring authorization. It is still supported, by we highly recommend to transition to scope-based applications.

CURL example. Start by storing client_id and client_secret in environment variable CLIENT_ID and CLIENT_SECRET respectively.

CURL example that stores token in environment variable NAVIGA_ACCESS_TOKEN.

Filtering access token permissions using scopes

permission-filter-include-org

Includes all requested permissions in the org array. Only one instance of the scope should exist.

permission-filter-include-unit:{unitName}

Includes all requested permissions in the specified unit array. Multiple instances of the scope can exist as long as the unit name is unique.

Error if unitName does not exist or if sub does not have access to that unit

Examples

Authenticate using an Access Token

Only send Access Tokens over HTTPS

Simply include the Access Token in the Authorization header whenever you perform a request to a Naviga ID enabled service API, such as CCA and OC.

Do not include the ID-token cookie when executing requests to APIs. If the service is using an IMSG, there's a chance of a "Too many tokens"-error.

CURL example. Environment variable NAVIGA_ACCESS_TOKEN and NAVIGA_ORG needs to be set.

Alias

Example value:

`CORS_ALLOWED_ADDITIONAL_HEADERS`

CORS allowed additional headers

Any extra headers (other than Accept,Authorization,Content-Type,If-None-Match) used by the service that should be allowed when CORS in IMSG is activated.

Type

Required

Alias

Default value:

Example value:

`CORS_ALLOWED_ORIGINS`

CORS allowed origins

Origins that should be allowed by Access-Control-Allow-Origin. This will override the service's CORS configuration

Type

Required

Alias

Default value:

Example value:

`CORS_ALLOW_ANY_HEADERS`

CORS allow any headers

Allow any headers in CORS. This will reflect the value of access-control-request-headers into the response access-control-allow-headers. Use with care.

Type

Required

Alias

Example value:

`ECS_CONTAINER_METADATA_FILE`

Do not set manually. Filepath to the ECS container metadata file. Set automatically by ECS if ECS_ENABLE_CONTAINER_METADATA is set.

Type

Required

Alias

Example value:

State API grace period

How long to stay in grace once connection to the state API is lost. Defaults to 60 minutes.

Type

Required

Alias

Default value:

Example value:

`IMAS_URL`

IMAS URL

URL to IMAS

Type

Required

Alias

Example value:

Log level

Log level used by Bunyan. See for details

Type

Required

Alias

Default value:

Example value:

`IM_LOG_NAME`

Log name

Log name used by Bunyan. See for details

Type

Required

Alias

Default value:

Example value:

Should only be set for legacy services not yet updated. If set, units without explicit permissions will not be included in the service token and org permissions for those units are ignored.

Type

Required

Alias

Example value:

`ONLY_ACCEPT_ID_TOKENS`

Only accept ID tokens

If enabled, only ID tokens will be accepted as valid tokens. Access tokens will be rejected with an invalid token type error.

Type

Required

Alias

Example value:

Service token secret

Shared secret between IMSG and the service protected by IMSG

Type

Required

Alias

Example value:

`STATE_API_READ_SECRET`

Internal API secret

Secret used to access state API.

Type

Required

Alias

Example value:

`STATE_API_STARTUP_TIMEOUT`

State API grace period

How long to wait for startup before timing out.

Type

Required

Alias

Example value:

`STATE_API_URL`

AWS region

URL to state API.

Type

Required

Alias

Example value:

`TELEMETRY_API_URL`

Telemetry API URL

URL to telemetry API

Type

Required

Alias

Example value:

Naviga ID

Introduction

Architecture

Authorization schema

Introduction

Organization

Unit

Group

Service Roles

Integrations

Customer Integration

Microsoft Azure

Prerequisites

Google G Suite

Prerequisites

Custom Identity Provider

Prerequisites

Information for Infomaker

Information for the integrating party

Allowed callback URLs

Allowed web origins

Moving to a New Identity Provider

Retaining subject IDs in Naviga ID

Service Integration

IMSG and headers

Headers added by IMSG

Services

Admin API

Routes

Health

/health

Path Parameters

IMSG

Routes

Imsg-service

/imsg-service/v1/callback

Shared modules

Http Test Server

HttpTestServer

HttpTestServer{#HttpTestServer}

HttpTestServer{#HttpTestServer}

new HttpTestServer(params)

start()

stop()

getServerHost() {#getServerHost}⇒ string

waitForCall(endpoint, [params]) {#waitForCall}⇒ Promise.<Object>

onHttpCall(request, response) {#onHttpCall}⇒ Promise.<Object> | void

Service Authorization Lib

ExpressMiddleware

ExpressMiddleware{#ExpressMiddleware}

ServiceAuthorizationMiddleware{#ServiceAuthorizationMiddleware}

Hapi plugin

ServiceAuthorizationError

ServiceAuthorizationError

new ServiceAuthorizationError(args)

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ Object

AccessDenied

AccessDenied⇐ ServiceAuthorizationError

new AccessDenied(publicData, internalData)

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ Object

Unauthorized

Unauthorized⇐ ServiceAuthorizationError

ConfigError

ConfigError⇐ ServiceAuthorizationError

new ConfigError(publicData, internalData)

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ Object

Client Credentials

Access Token

Validate Access Tokens

When using IMSG

Validate without IMSG

Authentication

Authorization

Local development

Post Mortem

Broken backwards compatibility in access token service for client credentials, 20th Dec 2021

Summary

Introduction

Routes

Authorization schema

getServerHost() {#getServerHost}⇒ `string`

waitForCall(endpoint, [params]) {#waitForCall}⇒ `Promise.<Object>`

onHttpCall(request, response) {#onHttpCall}⇒ `Promise.<Object>` | `void`

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ `Object`

AccessDenied⇐ `ServiceAuthorizationError`

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ `Object`

Unauthorized⇐ `ServiceAuthorizationError`

ConfigError⇐ `ServiceAuthorizationError`

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ `Object`

Unauthorized⇐ `ServiceAuthorizationError`

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ `Object`

ConfigError⇐ `ServiceAuthorizationError`

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ `Object`

AccessDenied⇐ `ServiceAuthorizationError`

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ `Object`

getServerHost() {#getServerHost}⇒ `string`

waitForCall(endpoint, [params]) {#waitForCall}⇒ `Promise.<Object>`

onHttpCall(request, response) {#onHttpCall}⇒ `Promise.<Object>` | `void`

hapiReply(replyOrResponseToolkit, [extraPublicData]) ⇒ `Object`