FAQ
This FAQ provides answers to common questions about the IBM Cloud® App ID service.
Can I interact directly with the development team?
Yes! Our development team would love to learn more about you and your use case. To get in touch, you can join us on Slack.
- Request an invitation to the workspace by entering your email.
- Check your email for an invitation.
- Click Join now to go to the sign-in page.
- Create an account by entering your name and a password.
- When you're in, search for the channel
#appid-at-ibm. - Join the channel.
Welcome! Now that you're up and running, feel free to ask questions, give feedback, and help others.
Using the Slack channel is not a replacement for opening a support ticket. If you encounter a more serious issue, issues with IBM Cloud that don't relate to App ID, or need to share more information than you are comfortable sharing in a public forum, open a support ticket.
Why do I need to allowlist my redirect URI?
A redirect URI is the callback endpoint of your application. When you allowlist your URI, you're giving App ID the OK to send your users to that location. At runtime, App ID validates the URI against your allowlist before it redirects the user. This process can help prevent phishing attacks and lessens the possibility that an attacker is able to gain access to your user's tokens. For more information about redirect URIs, see Adding redirect URIs.
Do not include any query parameters in your URL. They are ignored in the validation process. Example URL: http://host:[port]/path
How does encryption work in App ID?
Check out the following table for answers to commonly asked questions about encryption.
| Question | Answer |
|---|---|
| Why do you use encryption? | One way that we protect our users' information is by encrypting customer data at rest and in transit. The service encrypts customer data at rest with per-tenant keys and enforces TLS 1.2+ in all network segments. |
| Which algorithms are used in App ID? | The service uses AES and SHA-256 with salting. |
| Do you use public or open source encryption modules or providers? Do you ever expose encryption functions? | The service uses avax.crypto Java libraries, but never exposes an encryption function. |
| How are keys stored? | Keys are generated, encrypted with a master key that is specific to each region, and then stored locally. The master keys are stored in Key Protect. Each region has its own root-of-trust key that is stored in Key Protect, which is backed up by HSM. Each service instance (tenant) has its own data encryption and token signature keys, which are encrypted by using the region's root-of-key trust. |
| What is the key strength that you use? | The service uses 16 bytes. |
| Do you invoke any remote APIs that expose encryption capabilities | No, we do not. |
What clock synchronization does App ID use?
App ID runs in IBM Cloud, which uses an internal NTP server: servertime.service.softlayer.com.
Synchronizing your application with App ID's time source depends on which environment that you're using to run your application.
- If your application is running in IBM Cloud Classic Infrastructure, set your NTP servers to
servertime.service.softlayer.com. - If your application is running in IBM Cloud VPC Infrastructure, set your NTP servers to
time.adn.networklayer.com. - If your application is not running in IBM Cloud, you do not have access to these time servers. In this case, set your NTP servers to
time-a.nist.govortime-b.nist.gov.
What is the difference between App ID and Keycloak?
Both App ID and Keycloak can be used to add authentication to applications and secure services. The main difference between the two offerings is how they're packaged.
Keycloak is packaged as software, which means that you, as the developer, are responsible for maintaining functionality of the product after you download it. You're responsible for hosting, high-availability, compliance, backups, DDoS protection, load balancing, web firewalls, databases, and more.
App ID is a fully managed offering that is provided "as-a-service". This means that IBM takes care of the operation of the service, handles compliancy, availability in multiple zones, SLA, and more. App ID also has an integrated experience with the IBM Cloud Platform that includes native runtimes and services such as the Kubernetes Service, Cloud Functions, and Activity Tracker.
Can I use the same client ID in more than one application?
While you technically _can_ use the same credentials in more than one application, it is highly recommended that you do not for several reasons. Foremost, because when you're sharing your ID across applications any type of attack
or compromise then affects your entire environment rather than one application. For example, if you're using your ID across three applications and one of them becomes compromised, all three are then compromised. An attacker is able to impersonate
any of your apps. The second reason is that when you're using the same client ID in multiple apps, there is no way to differentiate between applications. For example, you're unable to tell which app was used to generate a token.
How can I update my application to use a new service instance without losing any data
You can migrate the information in one instance of App ID to another.
- Create an instance of the service.
- Duplicate your identity provider configuration by using the GUI.
- Migrate your user profiles. Known users are exported as a JSON object. Anonymous user's cannot be migrated. You can choose to import the entire object into the new instance or break it up and divide the users as you see fit if you have more than one instance. For Cloud Directory, see Migrating users. For federated identity providers, use the following steps.
- Create application credentials to invoke the new service instance.
- In the service dashboard, navigate to the Applications tab.
- Click Add Application and give your application a name. Then, click Save.
- Click View credentials in the table and copy the output.
- Paste your new credentials into your application.
- Update your application to use the new credentials including any URLs.
- Depending on your configuration, you might need to redeploy or unbind and rebind your application.
Can App ID help configure logout?
Depending on how you configure your application, App ID can help to facilitate a log out functionality for your users. Check out the following table to see where functionality for logout is available.
| Description | |
|---|---|
| App ID SDKs | The App ID SDKs have a built-in logout functionality. |
| Cloud Directory SSO[1] | App ID provides built in logout functionality for the Cloud Directory SSO feature. |
| Ingress | Ingress provides a built in logout functionality. |
| Istio | The Istio adapter is configured to provide log out functionality through OIDC. |
Configuring logout
To configure logout, you must configure your application to send a request to your identity provider. Then, to redirect the user to an area of your application that does not require authentication. In most use-cases, an application server session might be set by the App ID SDKs, Ingress, or Istio that works in partnership with a federated identity provider such as SAML or Cloud Directory to enable authentication and authorization.
In the following HTML example, an App ID SDK is used to configure log out. But, if you are working with another option, you can use this snippet as a guide and update it to fit your needs.
<script>
var ticker = setInterval(tick, 1000);
var counter = 5;
function tick() {
var timerDiv = document.getElementById("timer");
if (counter > 0) {
timerDiv.innerText = "Logged out. Redirecting back in " + (counter--) + " seconds.";
} else {
document.location = "./appid_logout";
}
} </script>
<iframe height="0" width="0" src="https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"></iframe>
-
All redirect URLs that are used with the Cloud Directory SSO feature must be added to the log out URL allowlist in the App ID UI. ↩︎