Alison Server - Enrollment
- Armando Carratala
Generate a Credential
Any client application can create a credential following these steps:
1. Obtain an OAuth2 Token.
The client must obtain an OAuth2 token from Alison-Server to access any service. In this case, a scope is not required.
2. Create a Credential.
When creating a credential it is mandatory to indicate an Authorization Configuration. A parameter indicating the number of Multi Signatures can be sent too.
Authorization Configuration
This configuration specifies the type of authorization (explicit, implicit, and oauth2) and any extra configuration associated with the chosen type. For example, in explicit authorization, you have to configure either OTP or PIN or both are required. The configuration is indicated by passing the ID of the configuration.
Currently, only explicit authorization is supported.
Multi Signature
This value specifies the maximum number of signatures that can be created in one request.
The default is 1.
3. Add Second Factors.
Once the credential is created, it is necessary to add the required second factors according to the chosen configuration.
Credentials can be protected with PIN, OTP or both, but al least one of the second factors is required, otherwise, the credential would be left unprotected. If more than one 2dofactor is required, two calls to the service must be done indicating in each case the type of the second factor that is being added.
PIN
When adding a PIN, a secret value must be specified. This value is the raw password that will be required when trying to access the credential.
OTP
When adding an OTP, no secret value must be specified because it is generated by the service. In the response, the generated secret will be returned as well as any other information associated with the generated OTP, such as the issuer and the user.
After generating the secret it is necessary to confirm that the OTP has successfully been retrieved. When confirming the OTP an OTP Value must be sent.
4. Generate Key Pair.
After all required Second Factors have been added a Key Pair can be generated. In this case, the key algorithm and length must be sent, as well as the CSR signature algorithm. When generating the Key Pair, a CSR is returned. This CSR must be signed by a CA, in order to get a Certificate.
5. Add a Certificate.
Once the CSR has been signed by a CA and a Certificate is obtained, it must be associated with the credential. The Certificate must be sent with the complete Certificate Chain (root, intermediate, and end certificates). It has to be sent in PKCS7 format. If the end Certificate Public Key does not match the stored public key an error will be returned.