MC Configuration file mc_config.json
The mc_config.json file is essential for all KOBIL Solutions, but its content varies depending on the solution. It is an unsigned file, meaning you can manually create it.
- To create this file, follow these steps:
-
Begin by creating an empty file named mc_config.json.
-
Copy and paste the code provided in the example below into the file:
{
"useScp": false,
"useTokenBasedLogin": true,
"useSmartScreen": false,
"astServerBackend": "maverick",
"iam": {
"clientId": "IDPSubsequentLogin",
"serverUrl": "https://idp.</ServerUrl>.com",
"redirectUri": "https://kobil/OpenIdRedirectUri",
"trustedSslServerCerts": ["</FolderName>/</CertificateFileName>.pem"]
},
"maverick": {
"mTLS": false,
"mKex": false,
"useSEKeyForSigningTransactions": false
}
}
This example shows how to configure the mc_config.json specifically for KOBIL Shift Lite solution installations. Adjust the values according to your specific setup as needed.
- Set the
</ServerUrl>value as the URL of your KOBIL IDP console. </FolderName>is the name of the folder where all MC configuration files are stored.- The format of
</CertificateFileName>should be of type (.pem).
Note: The
trustedSslServerCertsfiles can contain one or more certificates. Refer to Trust Store Configuration for guidance on which certificates to include in the trust store. Also, note that for simplicity, the different trust store entries can point to the same file.
| JSON Key | Description | Mandatory |
|---|---|---|
| iam.serverUrl | Host url of the IDP Server | Yes |
| iam.redirectUri | Default IDP redirect Uri | Yes |
| iam.trustedSslServerCerts | List with filenames inside app with trusted TLS server certificates used for Certificate Pinning of the IDP server. | Yes |
| maverick.mTLS | Mutual authentication method for transport layer security in IDP Server | No |
| maverick.mKex | Secured digital exchange in IDP Server | No |
| maverick.useSEKeyForSigningTransactions | Secure enclave supported Transaction in IDP Services | No |
Security Policy Modes
Our system operates in two modes:
- Offline Token
- JWT Authentication Grant
Offline Token:
In this mode (token-exchange), the client's Subject Token is exchanged to obtain an Offline Token. This mode is the default and will be used if no other modes are configured in mc_config.json.
JWT Authentication Grant:
In this mode, the client passes a JSON Web Token (JWT) to gain access to protected resources. To enable this mode, you need to add the jwtSignKeySecurityPolicy parameter under the maverick section.
| JSON Key | Description | Mandatory |
|---|---|---|
| maverick.jwtSignKeySecurityPolicy | Valid values: "enforceSE", "preferSE", "ignoreSE". On desktop, only "low" policy is supported. | No. If not set, offline token authenticator is used for the 1st factor of the authentication. |
Description of parameters
| Value | Implication | Fallback Possibility |
|---|---|---|
| enforceSE | SE is used to store the created private sign key for the Self Signed JWT Token. User can decide if key is protected with biometry or PIN. Depending on decision bio_auth_grant_SE or pin_auth_grant_SE is set inside self signed JWT. While Registering the public key towards CA Service, "hardware" is set as key storage mode. | If SE is not available functionality bound to the JWT Sign Key Pair will not be available. |
| preferSE | Same as high policy | If SE is not available, the iOS Keychain and Android Keystorage will be used to store the private sign key for the Self Signed JWT Token. This can be done automatically under the hood or by asking for consent of the user. In any case the User will be informed by a warning that the SE is not available. User can decide if key is protected with no additional interaction, biometry or PIN. Depending on decision no_auth_grant, bio_auth_grant or pin_auth_grant is set inside self signed JWT. While Registering the public key towards the CA Service "software" is set as key storage mode. |
| ignoreSE | iOS Keychain and Android Keystorage will be used to store the private sign key for the Self Signed JWT Token. User can decide if key is protected with no additional interaction, biometry or PIN. Depending on decision no_auth_grant, bio_auth_grant or pin_auth_grant is set inside self signed JWT. While Registering the public key towards the CA Service "software" is set as key storage mode. | n/a |