Two simple authentication nodes for ForgeRock's Identity Platform 7.2.0 and above. One node implements Apple's iOS App Attestation. https://developer.apple.com/documentation/devicecheck The attestation checking logic uses the App Attestation library by Vincent Haupert https://github.com/veehaitch/devicecheck-appattest/tree/v0.9.4 (Apache License 2.0)
The other one is using Google Play Integrity to check the Android app. https://developer.android.com/google/play/integrity/overview
BUILDING INSTRUCTIONS
- Clone the repository and build the project using maven.
- Copy the .jar file from the
../targetdirectory into<CATALINA_HOME>/webapps/<am-context-root>/WEB-INF/lib/where AM is deployed. - Copy the dependencies into
WEB-INF/libtoo. - Restart the web container to pick up the new node. The node will then appear in the authentication trees components palette.
The code in this repository has binary dependencies that live in the ForgeRock maven repository. Maven can be configured to authenticate to this repository by following the following ForgeRock Knowledge Base Article.
DEPLOYMENT
The below are needed in <catalina_home>/webapps/<context_root>/WEB-INF/lib:
# the integrity check nodes build
integrityCheckNodes-1.1.0-SNAPSHOT.jar# for App Attest
devicecheck-appattest-0.9.4.jar
kotlin-stdlib-jdk8-1.7.10.jar
kotlinx-coroutines-core-jvm-1.6.4.jar
kotlin-reflect-1.5.30.jar
annotations-13.0.jar
kotlin-stdlib-1.7.10.jar
kotlin-stdlib-common-1.7.10.jar
jackson-module-kotlin-2.13.4.jar
# for Play Integrity
google-api-client-2.2.0.jar
google-api-services-playintegrity-v1-rev20230105-2.0.0.jarMake sure the AM version has the below libraries already. If using an older AM, you might have to replace the <1.70 versions of Bouncy Castle with the below versions.
# Bouncy Castle 1.70
bcpkix-jdk15on-1.70.jar
bcprov-jdk15on-1.70.jar
bcutil-jdk15on-1.70.jar
bcmail-jdk15on-1.70.jarAll the above jars are available in Maven Central, see their artifact IDs in pom.xml.
USAGE
App Attestation
- sends a
MetadataCallbackcontaining the challenge - a
HiddenValueCallbackfor the attestation - and another
HiddenValueCallbackfor the keyID
Play Integrity
- sends a
MetadataCallbackcontaining the nonce - a
HiddenValueCallbackfor the token
Sample authentication tree
The sample code described herein is provided on an "as is" basis, without warranty of any kind, to the fullest extent permitted by law. ForgeRock does not warrant or guarantee the individual success developers may have in implementing the sample code on their development platforms or in production configurations.
ForgeRock or DPC Consulting Kft does not warrant, guarantee or make any representations regarding the use, results of use, accuracy, timeliness or completeness of any data or information relating to the sample code. ForgeRock disclaims all warranties, expressed or implied, and in particular, disclaims all warranties of merchantability, and warranties related to the code, or any service or software related thereto.
ForgeRock or DPC Consulting Kft shall not be liable for any direct, indirect or consequential damages or costs of any type arising out of any action taken by you or others related to the sample code.