MC Configuration file mc_config.json
The mc_config.json is needed for all KOBIL Solutions, but the content differs for each solution. It is an unsigned file, you can create it manually.
{
"useScp": false,
"useSmartScreen": false,
"astServerBackend": "maverick",
"useTokenBasedLogin": true,
"iam": {
"serverUrl": "https://idp.<domain>",
"redirectUri": "https://kobil/OpenIdRedirectUri",
"trustedSslServerCerts": ["<domain>/iam_trusted_certs.pem"]
}
}
| JSON Key | Description | Mandatory |
|---|---|---|
| iam.serverUrl | Host url of the IDP Server | yes |
| iam.redirectUri | Default IDP redirect Uri | yes |
| iam.trustedSslServerCerts | List with filenames inside app with trusted TLS server certificates used for Certificate Pinning of the IDP server. | yes |
Note: This trustedSslServerCerts files must be in PEM format, they can contain one or more certificates. See Trust Store Configuration for details on which certificates to put into the trust store. Note also that for simplicity, the different trust store entries can point to the same file.
Security Policy Modes
Our system operates in two modes:
- Offline Token
- JWT Authentication Grant
Offline Token:
In this mode (token-exchange), the client's Subject Token is exchanged to obtain an Offline Token. This mode is the default and will be used if no other modes are configured in mc_config.json.
JWT Authentication Grant:
In this mode, the client passes a JSON Web Token (JWT) to gain access to protected resources. To enable this mode, you need to add the jwtSignKeySecurityPolicy parameter under the maverick section.
| JSON Key | Description | Mandatory |
|---|---|---|
| maverick.jwtSignKeySecurityPolicy | Valid values: "enforceSE", "preferSE", "ignoreSE". On desktop, only "low" policy is supported. | No. If not set, offline token authenticator is used for the 1st factor of the authentication. |
Description of parameters
| Value | Implication | Fallback Possibility |
|---|---|---|
| enforceSE | SE is used to store the created private sign key for the Self Signed JWT Token. User can decide if key is protected with biometry or PIN. Depending on decision bio_auth_grant_SE or pin_auth_grant_SE is set inside self signed JWT. While Registering the public key towards CA Service, "hardware" is set as key storage mode. | If SE is not available functionality bound to the JWT Sign Key Pair will not be available. |
| preferSE | Same as high policy | If SE is not available, the iOS Keychain and Android Keystorage will be used to store the private sign key for the Self Signed JWT Token. This can be done automatically under the hood or by asking for consent of the user. In any case the User will be informed by a warning that the SE is not available. User can decide if key is protected with no additional interaction, biometry or PIN. Depending on decision no_auth_grant, bio_auth_grant or pin_auth_grant is set inside self signed JWT. While Registering the public key towards the CA Service "software" is set as key storage mode. |
| ignoreSE | iOS Keychain and Android Keystorage will be used to store the private sign key for the Self Signed JWT Token. User can decide if key is protected with no additional interaction, biometry or PIN. Depending on decision no_auth_grant, bio_auth_grant or pin_auth_grant is set inside self signed JWT. While Registering the public key towards the CA Service "software" is set as key storage mode. | n/a |