Skip to main content

MC Configuration file mc_config.json

The mc_config.json is needed for all KOBIL Solutions, but the content differs for each solution. It is an unsigned file, you can create it manually.

Example mc_config.json for KOBIL Shift Lite solution installations
{
"useScp": false,
"useSmartScreen": false,
"astServerBackend": "maverick",
"useTokenBasedLogin": true,
"iam": {
"serverUrl": "https://idp.<domain>",
"redirectUri": "https://kobil/OpenIdRedirectUri",
"trustedSslServerCerts": ["<domain>/iam_trusted_certs.pem"]
}
}
JSON KeyDescriptionMandatory
iam.serverUrlHost url of the IDP Serveryes
iam.redirectUriDefault IDP redirect Uriyes
iam.trustedSslServerCertsList with filenames inside app with trusted TLS server certificates used for Certificate Pinning of the IDP server.yes

Note: This trustedSslServerCerts files must be in PEM format, they can contain one or more certificates. See Trust Store Configuration for details on which certificates to put into the trust store. Note also that for simplicity, the different trust store entries can point to the same file.

Security Policy Modes

Our system operates in two modes:

  • Offline Token
  • JWT Authentication Grant

Offline Token: In this mode (token-exchange), the client's Subject Token is exchanged to obtain an Offline Token. This mode is the default and will be used if no other modes are configured in mc_config.json.

JWT Authentication Grant: In this mode, the client passes a JSON Web Token (JWT) to gain access to protected resources. To enable this mode, you need to add the jwtSignKeySecurityPolicy parameter under the maverick section.

JSON KeyDescriptionMandatory
maverick.jwtSignKeySecurityPolicyValid values: "enforceSE", "preferSE", "ignoreSE". On desktop, only "low" policy is supported.No. If not set, offline token authenticator is used for the 1st factor of the authentication.

Description of parameters

ValueImplicationFallback Possibility
enforceSESE is used to store the created private sign key for the Self Signed JWT Token. User can decide if key is protected with biometry or PIN. Depending on decision bio_auth_grant_SE or pin_auth_grant_SE is set inside self signed JWT. While Registering the public key towards CA Service, "hardware" is set as key storage mode.If SE is not available functionality bound to the JWT Sign Key Pair will not be available.
preferSESame as high policyIf SE is not available, the iOS Keychain and Android Keystorage will be used to store the private sign key for the Self Signed JWT Token. This can be done automatically under the hood or by asking for consent of the user. In any case the User will be informed by a warning that the SE is not available. User can decide if key is protected with no additional interaction, biometry or PIN. Depending on decision no_auth_grant, bio_auth_grant or pin_auth_grant is set inside self signed JWT. While Registering the public key towards the CA Service "software" is set as key storage mode.
ignoreSEiOS Keychain and Android Keystorage will be used to store the private sign key for the Self Signed JWT Token. User can decide if key is protected with no additional interaction, biometry or PIN. Depending on decision no_auth_grant, bio_auth_grant or pin_auth_grant is set inside self signed JWT. While Registering the public key towards the CA Service "software" is set as key storage mode.n/a