Authentication Service

This service issues JWTs using two entry points:

Important runtime switch:

Auth controllers are enabled only when features.providers.enabled=true.
Repository default is false (application.properties), so /auth/* endpoints are disabled unless enabled.

Wallet Flow

{
  "purpose": "login",
  "message": "Login request: <timestampMs>",
  "timestamp": "<timestampMs>"
}

POST /auth/wallet-auth
- Input: wallet, signature
- Output: { "token": "..." }
POST /auth/wallet-auth2
- Input: wallet, signature, and either reservationKey or labId
- Output: { "token": "...", "labURL": "..." }

Booking checks use BlockchainBookingService and require a valid active reservation for the signer.

GET /auth/message also supports purpose=checkin:

Query params: signer, and either reservationKey or labId (optional puc)
Returns typed data payload for EIP-712 check-in signing (typedData), plus resolved reservationKey.

Endpoints:

Request body:

{
  "marketplaceToken": "<marketplace JWT>",
  "samlAssertion": "<base64 SAML assertion>",
  "labId": "42",
  "reservationKey": "0x..."
}

Validation pipeline:

Validate marketplace JWT signature using key from marketplace.public-key-url.
Validate SAML assertion signature and required attributes using SamlValidationService.
Cross-check userid and affiliation between marketplace JWT and SAML attributes.
If booking info is requested (/auth/saml-auth2), enforce booking entitlement:
- bookingInfoAllowed=true OR
- required scope (auth.saml.required-booking-scope, default booking:read).

SAML trust defaults:

saml.idp.trust-mode=whitelist (default)
saml.trusted.idp={...} map is used in whitelist mode
Metadata URL resolution supports per-issuer/global overrides and assertion hints
HTTPS metadata required by default (saml.metadata.allow-http=false)

JWT signing keys:

Last updated 1 month ago