Merged stage into master for release 1.3 (#35)

GufCab · rosieks · web-flow · commit bb6ed4726d68 · 2022-11-17T10:54:40.000+01:00
* Updated with documentation for the FIWARE OAuth 2.0 mechanism Authored by @rosieks * Added documentation about the KOMBIT public certificate (#34) Co-authored-by: Sławomir Rosiek <rosieks@hotmail.com>
diff --git a/source/external-interface-design/external-interface-design.rst b/source/external-interface-design/external-interface-design.rst
@@ -481,7 +481,7 @@ The context (part of the NGSI-LD standard) can be provided in the request body o
 
 The Fiware data target supports the multitenancy of the Context Broker (but not every context broker supports multitenancy). The name of the tenant can be specified in the configuration. If no value is provided, the default tenant will be used. To specify the tenant OS2IoT is using :code:`NGSILD-Tenant` header.
 
-
+If your Context Broker is secured with OAuth2 it's possible to configure target to obtain necessary client credentials from Authentication Server. To do that it's required to provide token endpoint together with Client ID and Client Secret while configuring the target.
 
 Opendata.dk
 ^^^^^^^^^^^
diff --git a/source/installation-guide/installation-guide.rst b/source/installation-guide/installation-guide.rst
@@ -235,6 +235,8 @@ OS2IoT-backend takes several environment variables as configuration, if these ar
 +-------------------------------+------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+
 | KOMBIT_CERTIFICATEPRIVATEKEY  | The certificate  private key for KOMBIT adgangsstyring                                               | :code:`null`                                                                            |
 +-------------------------------+------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+
+| KOMBIT_CERTIFICATEPUBLICKEY   | Public certificate from the KOMBIT idp for verifying SAML response                                   | :code:`"INSERT_KOMBIT_CERT"`                                                            |
++-------------------------------+------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+
 | KOMBIT_ROLE_NAME              | This string must be a substring of the brugersystemrolle you grant users for them to be given access | :code:`http://os2iot.dk/roles/usersystemrole/adgang/`                                   |
 +-------------------------------+------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+
 | CHIRPSTACK_JWTSECRET          | Secret to generate JWT for Chirpstack                                                                | :code:`verysecret`                                                                      |
diff --git a/source/kombit-adgangsstyring/kombit-adgangsstyring.rst b/source/kombit-adgangsstyring/kombit-adgangsstyring.rst
@@ -16,6 +16,9 @@ Prerequisites:
 
 2. A NemID FOCES or VOCES (FOCES is preferred) for production use (Issued by: TRUST2408 OCES CA). If the OS2IoT installation is a TEST system, and the test environment for KOMBIT adgangsstyring is being used, then a FOCES/VOCES for the NemID integration environment is sufficent (Issued by: TRUST2408 Systemtest).
 
+3. The public certificate from the KOMBIT IDP. Can be retrieved from
+    a. **KOMBIT Test endpoint:** https://adgangsstyring.eksterntest-stoettesystemerne.dk/runtime/saml2/metadata.idp
+    b. **KOMBIT Prod endpoint:** https://adgangsstyring.stoettesystemerne.dk/runtime/saml2/metadata.idp
 
 Once the prerequisites are in order the configuration can begin.
 
@@ -91,6 +94,13 @@ Steps:
             .. code-block:: javascript
 
                 KOMBIT_ENTRYPOINT="https://adgangsstyring.eksterntest-stoettesystemerne.dk/runtime/saml2/issue.idp"
+        
+        iiiii. The variable :code:`KOMBIT_CERTIFICATEPUBLICKEY` must be set to the public key of the KOMBIT idp. If unset, the backend will not validate responses from KOMBIT, even if they are valid. Must be one line, with only the key part as shown below
+            d. An example for :code:`.env` could be:
+
+            .. code-block:: javascript
+
+                KOMBIT_CERTIFICATEPUBLICKEY="MIIGHTCCBQWgAwIBAgIEXgiTCTA[...]H0QDoU9mHDP17gSZZ"
 
 
 Test:
