JWT Token Based Authentication Configurations.

In IRIS, in order to enable the JWT token base authentication the following configuration should be made in the
war-file.

1. Enable the class path resource.

spring-jwt-iris-authenticator.xml – is used to define spring beans and should gets loaded as apart of
configuration.

By default, IRIS is shipped with this configuration disabled and user is expected to enable this. In the web.xml file inside the <context-param>

un-comment the below lines.

classpath:spring-jwt-iris-authenticator.xml

Note:

From the IRIS version 201906 on wards, this is enabled by default along with the spring-saml-iris-authenticator.xml.

2.Enable Spring Security Filter

IRIS web application gets enabled with Spring security filter chains by configuring respective tags in the web.xml of IRIS application

un-comment the below springSecurityFilterChain. by default this is disabled.

3. spring-jwt-iris-authenticator.xml Configuration
This spring-jwt-iris-authenticator.xml allows clients to configure the IRIS infrastructure based on their token validation requirements.

Below section helps to configure the Spring Security Authentication Provider and the Token Validation filter based on the needs of the client.

Out of the box, Temenos provides Validation filter and Authentication provider to validate the JWT token. The Validation filter uses this configuration XML
to perform the algorithm, claim, and Signature validations.

I. AlgorithmValidator
The token is validate against the algorithm provided in the configuration and the original value available in the JWT token, if these 2 values
mis-mathces, IRIS will ignore this request and send a un-authorised response back.

<beans:property name="idTokenSignedAlg" value="RS256" />

in the given exmaple, it is assumed that the token is having the algorithm as "RS256", change this value according to your token type.

II. SignatureValidator
To enable the signature validation, set the below property to true. by default this is set to false.

<beans:property name="idTokenSigned" value="" />

every JWT token is by signed by the toke provider using their own private key and this signature can be validated only with the public key
provided by the token provider, In order to validate this signature of the JWT token in IRIS, we need to configure the public key, IRIS supports
4 ways to obtain the public key and any 1 out of the below 4 property is mandatory for IRIS to validate the signature.
 <beans:property name="pkEncoded" value="" /> – use this property, If the client has the public key as a String , which can be
base64 encoded and added here.
<beans:property name="pkCertEncoded" value="" /> – use this property, If the client has the key certificate as a String, which can be
base64 encoded and added here.
<beans:property name="pkCertFilePath" value="" /> – use this property, If the client has the key certificate as a certificate file (.cer
or .pem), that location can be directly configured here.
<beans:property name="pkJwksUri" value="" /> – use this property, If the client can expose the JWKS uri to obtain the public
key

Note : At least 1 out of 4 property needs to be configured in order to validate the signature

If the client is do not want to do the signature validation, then the below property can be set a false, which will skip the signature validation.

<beans:property name="idTokenSigned" value="false" />

III. ClaimValidator
ClaimValidator is a generic validator for various claims in the token. Each instance of the ClaimValidator would validate one specific claim.
The claim that needs to be validated is injected into the instance.

The following are the claims default validators are supported for.

1) exp

2) iss

3) iat

IV. CustomClaimValidator
If the customer/user need to do any other claim validations other than the default claim validations, this can be achived by the following
configurations.

<beans:bean id="customClaim" class="com.temenos.irf.web.security.jwt.validator.CustomClaimValidator">

<beans:property name="customClaims">
<beans:map>
<beans:entry key="" value="" />

<beans:entry key="" value="" />

</beans:map>
</beans:property>
</beans:bean>

User can add any number of key and value in the above property, and all the values will be validated against the values present in the JWT
token, if any validation is failed,then IRIS will send an un-authenticated response to the user.

IV. Field required for further processing.

There are some scenarios where, the client/support development needs to extract the values form the JWT token and wanted to use those
values later in the (published / provider) services, for this purpose, the following bean can be configured, so that those value will be extracted
from the token and set in the request context header.

<beans:bean id="requiredFields" class="com.temenos.irf.web.security.jwt.parser.RequiredFieldsExtractor">

<beans:property name="claimsToExtract">
<beans:list>
<beans:value></beans:value>

<beans:value></beans:value>
</beans:list>
</beans:property>
</beans:bean>

User can add any number of values in the above property to extract, refer the below screen print for example.

If any defined field is not available in the token, that will be logged in the logger and the process continues.

V. User principle for authentication.

 Upon successful validation the token, the validation filter would build and propagate the authenticated principal and invoke the remaining filter
change as normal

Spring Security uses org.springframework.security.core.userdetails.UserDetails to manage user information across the application.
Once the requests get authenticated, Spring security made userDetails available as a part of Spring Authentication object.

IRISAuthenticatedUser is the iris authenticated user object used to carry user data as a part of Spring Authentication object.

On successful authentication of the token, the successfulAuthentication callback sets Spring Authentication object references in the Spring
Security Context. The Security Context holds the user information (IRISAuthenticatedUser ) which will be available across the IRIS Version
and Enquiry processors.

In order to get this user principle, user/client need to configure in which claim the user principle is available this will be configured in the below
property, the default value is "sub"

<beans:property name="principalClaim" value="sub" />

4. applicationContext.xml - Enable Spring security

IRIS T24 Processors uses T24 Security Context to construct OFS message with the respective User credentials. T24SecurityFilter derives the User
principal from the Spring Spring Security Context and constructs user’s T24 security context.

Out of the box, Temenos provides a T24 Security filter "com.temenos.irf.comms.security.AuthImpl.T24SpringSecurityContextFilter". This T24 Security
filter retrieves the user principal from spring security context and constructs T24 Security context which used for constructing the OFS message.

The following bean in the applicationContext.xml file need to be enabled, and all other "t24SecurityFilter" needs to be disabled.

5. How to add a clock skewness ? or adjust clock difference?

There are cases where the time difference between the JWT token provider and the server in which IRIS run have a time difference in some seconds
advanced or delayed, in those case's IRIS can be configured to ignore a specific amount of time difference in seconds, this property can be configured
using the below property, where value is in seconds.

<beans:property name="expiryDelayAllowance" value="0" />

6. How to skip JWT validation for static resources and healthz APIs ?
Few endpoints in the war file need to be excluded from the JWT validation such as healthz apis, and static resources, using the below property tag those
endpoints can be configured so that IRIS will ignore the JWT validation and skip this filter. user can define more that one endpoint using a comma-
separated value. This feature is available from the IRIS version 201911 onwards.

<beans:property name="skipUrls" value="/v1/healthz , /v1/getStaticData" />

Refer the screenshot below on how to configure this property.

7. How to enable JWT based authentication for EXTERNAL user.

a) Changes in IRIS R18 service xml

e g.

<setProperty propertyName="CLIENT_TYPE">

<constant>EXTERNAL</constant>

</setProperty>

b) Changes in T24
Edit this user and give access as pre-auth

to do this edit as below ,

OFS.SOURCE, I IRISEXTERNAL

OR

OFS.SOURCE, I IRISAAEXTERNAL

OR

OFS.SOURCE, I TCIB

ADD attribute PREAUTHENTICATED

and restart the server

Map enquiry and version which is needed to call from external user as below

USER.SMS.GROUP, I TC.TEST