Skip to content

Commit 42def06

Browse files
metsmamrts
authored andcommitted
Clarify how URL should be encoded
WE2-1241 Signed-off-by: Raul Metsma <raul@metsma.ee>
1 parent 7039e7f commit 42def06

2 files changed

Lines changed: 12 additions & 3 deletions

File tree

README.md

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -134,6 +134,14 @@ import eu.webeid.security.validator.AuthTokenValidatorBuilder;
134134
...
135135
```
136136

137+
The site origin configured with `withSiteOrigin()` must match the origin string
138+
signed by the Web eID application. Use the [ASCII serialization of the
139+
origin](https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin)
140+
as specified by the [Web eID architecture
141+
document](https://github.com/web-eid/web-eid-system-architecture-doc#web-eid-authentication-token-specification).
142+
For internationalized domain names, configure the Punycode form, for example
143+
`https://xn--pike-loa.ee` for `https://päike.ee`.
144+
137145
## 6. Add a REST endpoint for issuing challenge nonces
138146

139147
A REST endpoint that issues challenge nonces is required for authentication. The endpoint must support `GET` requests.
@@ -262,7 +270,7 @@ The website back end must lookup the challenge nonce from its local store using
262270
263271
As described in section *[5. Configure the authentication token validator](#5-configure-the-authentication-token-validator)*, the mandatory authentication token validator configuration parameters are the website origin and trusted certificate authorities.
264272
265-
**Origin** must be the URL serving the web application. Origin URL must be in the form of `"https://" <hostname> [ ":" <port> ]` as defined in [MDN](https://developer.mozilla.org/en-US/docs/Web/API/Location/origin) and not contain path or query components. **Note that the `origin` URL must not end with a slash `/`**.
273+
**Origin** must be the URL serving the web application. Origin URL must be in the form of `"https://" <hostname> [ ":" <port> ]` as defined in [MDN](https://developer.mozilla.org/en-US/docs/Web/API/Location/origin) and not contain path or query components. **Note that the `origin` URL must not end with a slash `/`**. The configured origin must use the ASCII serialization that is signed by the Web eID application. For internationalized domain names, use the Punycode form, for example `https://xn--pike-loa.ee` instead of `https://päike.ee`.
266274
267275
The **trusted certificate authority certificates** are used to validate that the user certificate from the authentication token and the OCSP responder certificate is signed by a trusted certificate authority. Intermediate CA certificates must be used instead of the root CA certificates so that revoked CA certificates can be removed. Trusted certificate authority certificates configuration is described in more detail in section *[4. Add trusted certificate authority certificates](#4-add-trusted-certificate-authority-certificates)*.
268276

example/README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,9 @@ web-eid-auth-token:
3333
local-origin: "https://<<NGROK HOSTNAME HERE>>"
3434
```
3535
36-
**Note that the origin URL must not end with a slash `/`**.
36+
**Note that the origin URL must not end with a slash `/`**. For internationalized
37+
domain names, use the ASCII/Punycode origin form in `local-origin`, for example
38+
`https://xn--pike-loa.ee` for `https://päike.ee`.
3739

3840
### 3. Configure the trusted certificate authority certificates
3941

@@ -262,4 +264,3 @@ When running the application with the `dev` profile in test mode, you need to up
262264
### Why do I get the `401 Unauthorized "Authentication failed: Web eID token validation failed"` response during authentication?
263265

264266
One possible reason is that you are using the test ID card on a site that is running in production mode or, vice-versa, a real ID card on a site that is running in test mode; or any other ID card whose certificate authority has not been added to the list of trusted certificate authorities. There will be a `CertificateNotTrustedException` in the logs in this case.
265-

0 commit comments

Comments
 (0)