Yubikey Support

The Payara API provides a way to authenticate with Yubikey using the @YubikeyIdentityStoreDefinition annotation. This works in the same way as other identity stores in the Java EE Security API.

Usage

The Yubikey identity store is defined through the @YubikeyIdentityStoreDefinition annotation. Specifying this in a valid place as defined by the Security API will create the identity store. Often this may mean that any class is a valid position.

This authentication mechanism currently supports cloud-based Yubikey authentication servers only.

Example

The following code sample illustrates how to configure Yubikey support:

@YubikeyIdentityStoreDefinition(yubikeyAPIKey="qwertyuiop1234567890", yubikeyAPIClientID=98765)
public class ApplicationConfiguration {

}
java

Configuration

The @YubikeyIdentityStoreDefinition annotation has several configuration attributes. These refer to the API access credentials from Yubico.

One of yubikeyAPIClientID, yubikeyAPIClientIDExpression or a MicroProfile Configuration settings is mandatory for the feature to work correctly.
Table 1. Configuration Options
Option Required Description

yubikeyAPIClientID

false

The client identifier used to identify the application

yubikeyAPIKey

true

The API key

priority

false

The priority of the identity store

priorityExpression

false

EL expression which overrides the priority value

yubikeyAPIClientIDExpression

false

EL expression which overrides the yubikeyAPIClientID value

These attributes can be overridden with MicroProfile configuration values:

  1. payara.security.yubikey.apikey overrides yubikeyAPIKey

  2. payara.security.yubikey.clientid overrides yubikeyAPIClientID

  3. payara.security.yubikey.identitystore.priority overrides priority