Skip to main content
Version: 10.9.x

Authentication Service Configuration

The Authentication Service needs some environment variables, and a configurations file to work.

Environment variables

The environment variables needed by the service are:

  • LOG_LEVEL (default: info): level of the log. It can be trace, debug, info, warn, error, fatal or silent
  • HTTP_PORT (default: 8080): http port exposed by the service;
  • SERVICE_PREFIX (optional): the prefix used for the path of the service endpoints (except for the metrics and health endpoints);
  • DELAY_SHUTDOWN_SECONDS (default: 10): the amount of seconds waited before closing the service when performing a graceful shutdown;
  • REDIS_HOST (required): the Redis host, with the port;
  • REDIS_USERNAME (optional): the username to authenticate to Redis;
  • REDIS_PASSWORD (optional): the password to authenticate to Redis;
  • CONFIG_FILE_PATH (required): the path to the configuration file. Do not include the file name;
  • CONFIG_FILE_NAME (required): the name of the JSON configuration file. Do not include the extension;
  • USERS_CRUD_BASE_URL (required): base URL of the internal endpoint of the CRUD service exposing the data of the users (e.g. http://crud-service/users);
  • MIA_JWT_TOKEN_SIGN_KEY (required): a JWT signing key used to generate the authentication JWT for the user login (preferred an HMAC of least of 512 bytes);
  • MIA_JWT_TOKEN_VALID_DURATION_SEC (required): time in seconds before the generated access token expires;
  • PROVIDER_TOKEN_PASS_PHRASE (required): a string used to encrypt the JWT (preferred an HMAC at least of 128 bytes);
  • MIA_REFRESH_TOKEN_VALID_DURATION_SEC (required): time in seconds before the generated refresh token expires;
  • EXPIRE_DELTA_PROVIDER_TOKEN_SEC (optional): how many seconds before the expiration of refresh token will be refreshed automatically;
  • ORIGINAL_PROTOCOL_HEADER (required): header containing the protocol of the original request (http or https);
  • ADDITIONALS_CA_FOLDER (optional): folder which contains the CA of the OAuth2 identity providers, if it's not public;
  • ADDITIONAL_HEADERS_TO_PROXY (optional): comma separated list of headers to proxy to the request to CRUD service.
  • STORED_ACCESS_TOKEN_NUMBER (optional): maximum number of stored access token associated to a user. The tokens are stored on Redis. Default is 10.
  • REDIS_SESSIONS_SCOPE (required): a string used to define the scope of redis in order to distinguish items in a multi-tenant architecture.

Configurations file

The configurations file required by the Authentication Service is in the JSON format. The file stores the configurations required by the Identity Providers to be used for authenticaton of your applications.


We recommend to mount this configuration file using a Kubernetes Secret due its confidential content.

It is important to outline that it is possible to define an order property, not required, that will order your providers in the providers API result (e.g. for your login page) from the relative highest value to the lowest. In case the order property is not defined or multiple providers have the same order number, the service will alphabetically order them.

For the service configuration, there is an apps field with as key the appId with value the app configuration. The app configuration contains:

  • providers (required): an object with key the providerId and as value the provider configuration;
    • type (required): the type of the provider. Can be gitlab, github, okta, microsoft, keycloak or generic;
    • clientId (required): the client ID of the OAuth2 app;
    • clientSecret (required): the client secret of the OAuth2 app;
    • authUrl (required): URL to call the authorize endpoint of the authorization_code grant type in the identity provider;
    • tokenUrl (required): URL to get the token in the identity provider;
    • baseUrl (required): base URL of the provider;
    • scope (required): an array of string of the scope to forward to the identity provider;
    • order (optional): a number which define the order to be returned from the get apps endpoint;
    • userSettingsURL (optional): an URL to send the user to the user settings page on idp provider;
    • skipRefreshProviderTokenOnMiaTokenRefresh (default false): if true, the provider's token won't be refreshed when calling the /refreshtoken endpoint, unless the provider token has expired;
  • redirectUrl (required): the url where the app is redirected during the authorization_code grant type, to be redirect after the authorize call. This must be set the same as in the idp provider;
  • authorizeStateRequired (default: false): When true, the client should generate the state parameter, enabling further protection against CSRF attacks. See the related section;
  • realm: (required): the realm of the application, to aggregate users between different configuration in a same provider (user is identified by realm, providerId and providerUserId*);
  • defaultGroups (required): an array of strings to add as group to a user on user creation;
  • allowedRedirectUrlsOnSuccessfulLogin (optional): a set of strings with the allowed redirect urls on successful login; do not add the query string here as it will be ignored when checking if the url is allowed, as per the the specification
  • defaultRedirectUrlOnSuccessfulLogin (optional): a string to set the default redirect on successful login;
  • isWebsiteApp (optional): a boolean, if true set a Cookie sid in header.
  • customTokenClaims (optional): options to configure additional custom claims to be added to the JWT token.
    • includeProviderUserId (default: false): if true, the claim providerUserId will be included in the JWT token.
    • metadataFieldsToIncluded (optional): an array of fields to be included under the field metadata. The metadatafield will be populated only if the array is defined and not empty.
  • issuer (required): The value of the iss claim, it will be inserted in the issued tokens.
  • sidCookieCustomAttributes (optional): an object with a sid cookie custom configuration. If not set a default configuration will be applied, more information here
    • domain (optional): sets the Domain attribute to the cookie to a value of your choice. By default, the attribute is not added.
    • sameSite (optional): sets the SameSite attribute to the cookie, allowed values are Lax and Strict. By default, the attribute is set to Lax.

Here an example of the service configuration:

"apps": {
"APP_ID": {
"providers": {
"type": "gitlab|github|okta|microsoft|bitbucket|keycloak|generic",
"clientId": "the-idp-client-id",
"clientSecret": "the-idp-client-secret",
"authUrl": "auth_url",
"tokenUrl": "token_url",
"userInfoUrl": "user_info_url",
"baseUrl": "base_url",
"scope": ["custom_scope"],
"order": 10,
"userSettingsURL": "settings-url"
"authorizeStateRequired": true,
"redirectUrl": "",
"realm": "realm1",
"isWebsiteApp": true,
"defaultGroups": ["users"]

You can retrieve most of the URLs needed for the configuration from the OpenID Connect Discovery URL, usually exposed by the providers under the /.well-known/openid-configuration route. Refer to the provider documentation.

Users collection

To correctly configure the service, it is important to configure the CRUD collection with the internal endpoint set in the USERS_CRUD_BASE_URL environment variable. Remember to set the default state of the endpoint to PUBLIC.

Fields in the CRUD collection must be the following:

Field NameField TypeRequired
groupsArray of string

The fields groups, providerId, and realm are obtained from the service configuration described above.

The metadata field can be used to store any kind of information about the user.


It is not recommended to store additional fields at the root of the collection, as future versions of the authentication service could introduce new fields with clashing names. Nest any additional information about the user under the metadata field.

How to configure providers

Below, the different configuration based on provider type.

This is a configuration example for an app using GitLab Identity provider. Replace {GITLAB_URL} with the url of your instance (or the public one).

"apps": {
"web": {
"providers": {
"gitlab": {
"type": "gitlab",
"clientId": "the-idp-client-id",
"clientSecret": "the-idp-client-secret",
"authUrl": "https://{GITLAB_URL}/auth",
"tokenUrl": "https://{GITLAB_URL}/token",
"userInfoUrl": "https://{GITLAB_URL}/api/v4/user",
"baseUrl": "https://{GITLAB_URL}",
"scope": ["custom_scope"],
"order": 10,
"userSettingsURL": "settings-url"
"redirectUrl": "",
"realm": "my-realm",
"defaultGroups": []

Redis storage


This feature is available from service tag 3.0.0

Redis is used to store some information regarding the user session. With the environment variable STORED_ACCESS_TOKEN_NUMBER it's possible to configure how many sessions can be stored and set a limit to the maximum number of concurrent active session.

The endpoint DELETE-/expired-sessions can be used to clean all queues deleting the expired tokens.