Setting up the FIDO access token

2.3 Setting up the FIDO access token

To allow MyID to carry out attestation checks on FIDO authenticators, you must obtain an access token for the FIDO Alliance Metadata Service and store it in the configuration file for the MyID authentication web service (web.oauth2).

Note: The MyID web server must be able to access FIDO-related URLs to download the metadata. If your server cannot access these metadata URLs, or if you are experiencing performance issues when verifying metadata, you can download a local repository; see section 2.3.4, Setting up a local metadata repository.

Note: If you are using the standalone authentication service (web.oauth2.ext) in conjunction with the AD FS Adapter OAuth to allow for FIDO authentication to your AD FS, you do not need to configure the web.oauth2.ext service with the access token; the attestation checks are relevant only for registration, and the standalone authentication service provides only authentication and not registration for FIDO authenticators.

2.3.1 Obtaining an access token

You must obtain an access token for the FIDO metadata from the FIDO Alliance website.

Note: FIDO is in the process of transitioning their metadata service (currently called MD2) to different mechanism (called MD3) that was not available at the time of release for MyID 12.0.

If you have any issues obtaining an access token for the FIDO metadata, contact Intercede support quoting reference SUP-341.

2.3.2 Encrypting the access token

To encrypt the access token:

Log on to the MyID web server as the MyID web service user.

This is the user under which the web.oauth2 web service runs.

Note: It is important that you use this account to encrypt the secret, as no other accounts can decrypt the secret to use it.
Open a PowerShell command prompt, and navigate to the web.oauth2 web service folder.

By default, this is:

C:\Program Files\Intercede\MyID\web.oauth2\
Run the following PowerShell script:

.\DPAPIEncrypt.ps1 <access key>

For example:

.\DPAPIEncrypt.ps1 911a93a18f141b6f1a2c4b99edd591cef31f73a5e1ab7822

The script outputs an encrypted copy of the access key; for example:

PS C:\Program Files\Intercede\MyID\web.oauth2> .\DPAPIEncrypt.ps1 911a93a18f141b6f1a2c4b99edd591cef31f73a5e1ab7822
AQAAANCMnd8BFdERjHoAwE/Cl+s [...] VrTfOwgVq+QjGUYUzSzhK9V4=

(Encrypted output string truncated for documentation purposes.)
Copy the encrypted access token string.

2.3.3 Adding the access token to the web service configuration file

To add the encrypted access token string to the web service configuration file:

As an administrator, open the appsettings.Production.json file in a text editor.

By default, this is:

C:\Program Files\Intercede\MyID\web.oauth2\appsettings.Production.json

This file is the override configuration file for the appsettings.json file for the web service. If this file does not already exist, you must create it in the same folder as the appsettings.json file.

Edit the file to include the following:

Copy

{
    "Fido":{
        "Config":{
            "MDSAccessKeyClear":false,
            "MDSAccessKey":"<encrypted key>"
        }
    }
}

where:

<encrypted key> – the string produced by the DPAPIEncrypt.ps1 script.

For example:

Copy

{
    "Fido":{
        "Config":{
            "MDSAccessKeyClear":false,
            "MDSAccessKey": "AQAAANCMnd8BFdERjHoAwE/Cl+s [...] VrTfOwgVq+QjGUYUzSzhK9V4="
        }
    }
}

Save the appsettings.Production.json file.
Recycle the web service app pool:
1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
2. Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.
This ensures that the web service has picked up the changes to the configuration file.

2.3.4 Setting up a local metadata repository

You can use the provided MyID.FIDO.Metadata.App to obtain a local metadata repository, which you can then configure the authentication service to use instead of the live data on the website.

The MyID.FIDO.Metadata.App is installed to the Intercede.MyID.FIDO.Metadata.App subfolder of the Utilities folder on the MyID web server; by default, this is:

C:\Program Files\Intercede\MyID\Utilities\

To configure the app:

Open the appsettings.Production.json configuration file for the app in a text editor.
By default, this is:

C:\Program Files\Intercede\MyID\Utilities\
Intercede.MyID.FIDO.Metadata.App\appsettings.Production.json

This file is the override configuration file for the appsettings.json file for the app. If this file does not already exist, you must create it in the same folder as the appsettings.json file.

Edit the file to include the following settings:

Copy

{
"Fido": {
    "Config": {
      "MDSAccessKeyClear": false,
      "MDSAccessKey": "<encrypted key>",
      "MDSCacheDirPath": "<path of cache folder>"
    }
  }
}

Set the following options:
- <encrypted key> – copy the value from the web.oauth2 appsettings.Production.json file.
- <path of cache folder> – set this to the path of the folder on the web server to which you want to install the cache.
  
  Use double backslashes in the path; for example:
  
  "MDSCacheDirPath": "C:\\Data\\Cache"
  
  Alternatively, you can replace the backslashes with forward slashes; for example:
  
  "MDSCacheDirPath": "C:/Data/Cache"
  
  Note: The web service user must have read and write access to this folder.
Save the configuration file.
Run the utility:
1. Log on to Windows as the web service user.
2. Open a Windows command prompt.
3. Navigate to the Utilities\Intercede.MyID.FIDO.Metadata.App folder.
4. Type the following:
  
  MyID.FIDO.Metadata.App.exe
The app downloads the metadata to the cache folder.

You must run the MyID.FIDO.Metadata.App periodically to refresh the data in the cache.

You must now configure the authentication service to use the cache instead of the live data:

Open the appsettings.Production.json file for the authentication service in a text editor.

By default, this is:

C:\Program Files\Intercede\MyID\web.oauth2\appsettings.Production.json
Edit the file to include the following settings:
Copy
```
{
"Fido": {
    "Config": {
      "MDSCacheDirPath": "<path of cache folder>",
      "TOCName": "<path and name of TOC file>",
      "CacheTimeDays": <validity period>
    }
  }
}
```
where:
- <path of cache folder> – is the path of the folder of data downloaded by the MyID.FIDO.Metadata.App utility. Use forward slashes or double backslashes in the path.
  
  Note: The utility downloads the cache into a metadata subfolder of the folder you specified in the utility's configuration file; for example:
  
  C:\\Data\\Cache\\metadata
- <path and name of TOC file> – the full path and name of the TOC.json file included in the cache download. Use forward slashes or double backslashes in the path.
  
  For example:
  
  C:\\Data\\Cache\\metadata\\TOC.json
- <validity period> – the number of days after which the cache will no longer be valid, and the authentication service will revert to re-reading the metadata from the file system rather than its own in-memory cache.
  
  If you set this value, it overrides the nextUpdate time specified in the TOC file.
Important: Merge these settings into your existing Fido:Config section. Do not delete any existing settings. However, if you want to use the local cache in preference to the live data, you can set the MDSAccessKey option to empty:

"MDSAccessKey": ""

If you leave your access token in the configuration file, MyID uses both the live data and the local cache. You can use either or both options.
Save the appsettings.Production.json file.
Recycle the web service app pool:
1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
2. Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.
This ensures that the web service has picked up the changes to the configuration file.