@nsshunt/stsconfig 1.17.2 → 1.20.0

package/.env-default

@@ -103,8 +103,18 @@ AS_ENDPOINT=http://localhost
 AS_HOST_PORT=3002
 # Auth Server port (client port to access the service)
 AS_PORT=3002
-# Auth Server endpoint
-AS_API_ROOT=/stsauth/v1
+# Auth Server API root.
+AS_API_ROOT=/stsauth/v1.0
+# Auth Server OAuth2 API root.
+AS_OAUTH_API_ROOT=/oauth2/v2.0
+# Auth Server Admin API root.
+AS_ADMIN_API_ROOT=/admin/v1.0
+# Auth Server API Identifier.
+AS_API_IDENTIFIER=https://stsmda.com.au/stsauthapi/v1.0/
+# Auth Server OAuth API Identifier.
+AS_OAUTH_API_IDENTIFIER=https://stsmda.com.au/stsauthoauthapi/v2.0/
+# Auth Server Administration API Identifier.
+AS_ADMIN_API_IDENTIFIER=https://stsmda.com.au/stsauthadminapi/v1.0/
 # Auth Server Prometheus metric support
 AS_PROM_SUPPORT=true
 # Auth Prometheus Cluster Server port (port used for cluster prometheus scrapes)
@@ -131,6 +141,23 @@ AS_PRIVATE_KEY_PATH=/var/lib/sts/stsglobalresources/keys/private.key
 # Auth Server - Public Key (when using JWT)
 AS_PUBLIC_KEY_PATH=/var/lib/sts/stsglobalresources/keys/public.key
 
+# STSBroker Server endpoint
+BROKER_ENDPOINT=http://localhost
+# STSBroker Server port (listen port for the service)
+BROKER_HOST_PORT=3006
+# STSBroker Server port (client port to access the service)
+BROKER_PORT=3006
+# STSBroker Server endpoint
+BROKER_APIROOT=/stsbroker/v1.0
+# STSBroker Prometheus metric support
+BROKER_PROM_SUPPORT=true
+# STSBroker Cluster Server port (port used for cluster prometheus scrapes). Service will listen on this port at mount point /metrics
+BROKER_PROM_CLUSTER_PORT=3016
+# STSBroker Service Name
+BROKER_SERVICE_NAME=STSBroker
+# STSBroker Service Version
+BROKER_SERVICE_VERSION=1.0.0
+
 # STS Test Runner Prometheus metric support
 TR_PROM_SUPPORT=true
 # STS Test Runner Cluster Server port (port used for cluster prometheus scrapes)
@@ -226,3 +253,32 @@ HTTPS_SERVER_KEY_PATH=/var/lib/sts/stsglobalresources/keys/server.key
 
 # HTTPS server cert path.
 HTTPS_SERVER_CERT_PATH=/var/lib/sts/stsglobalresources/keys/server.cert
+
+# Maximum number of RSA keys in the JWKS store
+TS_JWKS_KEYS=3
+
+# File path for JWKS store data. This file will contain the public and private keys for the JWKS store.
+TS_JWKS_STORE_PATH=/var/lib/sts/stsglobalresources/.stsauthprivate/jwks-private.json
+
+# File path for JWKS public store data. This file will contain only the public signing keys for the JWKS store.
+TS_JWKS_STORE_PUBLIC_PATH=/var/lib/sts/stsglobalresources/.well-known/jwks.json
+
+# JWKS Authentication Configuration Settings
+# Ref: https://github.com/auth0/node-jwks-rsa
+# Enables a LRU cache. Ref: https://github.com/auth0/node-jwks-rsa#caching
+JWKS_AUTH_CONFIG_CACHE=true
+
+# Maximum number of LRU cache entries. Ref: https://github.com/auth0/node-jwks-rsa#caching
+JWKS_AUTH_CONFIG_CACHE_MAX_ENTRIES=5
+
+# Maximum age of LRU cache entries. Ref: https://github.com/auth0/node-jwks-rsa#caching
+JWKS_AUTH_CONFIG_CACHE_MAX_AGE=600000
+
+# Enforce rate limiting for jwks public endpoint query. Ref: https://github.com/auth0/node-jwks-rsa#rate-limiting
+JWKS_AUTH_CONFIG_RATE_LIMIT=true
+
+# Enforce rate limiting maximum number of requests per minute. Ref: https://github.com/auth0/node-jwks-rsa#rate-limiting
+JWKS_AUTH_CONFIG_RATE_LIMIT_REQUESTS_PER_MINUTE=10
+
+# Timeout for the public endpoint query. Note: This will be ignored if an http/https agent is specified.
+JWKS_AUTH_CONFIG_TIMEOUT=30000

package/.env-test-file-2

@@ -70,9 +70,15 @@ TO_CLIENT_SECRET_FILE=testclientsecretfile
 AS_ENDPOINT=http://localhost-c
 AS_HOST_PORT=30020
 AS_PORT=30020
-AS_API_ROOT=/stsauth/v1-c
+AS_API_ROOT=/stsauth/v1.0-c
+AS_OAUTH_API_ROOT=/oauth2/v2.0-c
+AS_ADMIN_API_ROOT=/admin/v1.0-c
 AS_API_IDENTIFIER=xyz
 AS_API_IDENTIFIER_FILE=testapiidentifierFile
+AS_OAUTH_API_IDENTIFIER=xyz
+AS_OAUTH_API_IDENTIFIER_FILE=testapiidentifierFile
+AS_ADMIN_API_IDENTIFIER=xyz
+AS_ADMIN_API_IDENTIFIER_FILE=testapiidentifierFile
 AS_PROM_SUPPORT=false
 AS_PROM_CLUSTER_PORT=30120
 AS_SERVICE_NAME=STSAuth-c
@@ -89,6 +95,21 @@ AS_ACCESS_TOKEN_EXPIRE=432000
 AS_PRIVATE_KEY_PATH=/var/lib/sts/stsglobalresources/keys/private.key-c
 AS_PUBLIC_KEY_PATH=/var/lib/sts/stsglobalresources/keys/public.key-c
 
+BROKER_ENDPOINT=http://localhost-c
+BROKER_HOST_PORT=3006-c
+BROKER_PORT=3006-c
+BROKER_APIROOT=/stsbroker/v1.0-c
+BROKER_PROM_SUPPORT=false
+BROKER_PROM_CLUSTER_PORT=3016-c
+BROKER_SERVICE_NAME=STSBroker-c
+BROKER_SERVICE_VERSION=1.0.0-c
+BROKER_API_IDENTIFIER=xyz
+BROKER_API_IDENTIFIER_FILE=testapiidentifierFile
+BROKER_CLIENT_ID=xyz
+BROKER_CLIENT_ID_FILE=testclientidfile
+BROKER_CLIENT_SECRET=xyz
+BROKER_CLIENT_SECRET_FILE=testclientsecretfile
+
 TR_PROM_SUPPORT=false
 TR_PROM_CLUSTER_PORT=30150
 TR_SERVICE_NAME=STSRestRunner-c
@@ -121,3 +142,14 @@ IGNORE_SOCKETIO=false
 MODEL_PURGE_UPDATE_TIMEOUT=50000
 HTTPS_SERVER_KEY_PATH=/var/lib/sts/stsglobalresources/keys/server.key-c
 HTTPS_SERVER_CERT_PATH=/var/lib/sts/stsglobalresources/keys/server.cert-c
+
+TS_JWKS_KEYS=30
+TS_JWKS_STORE_PATH=xyz
+TS_JWKS_STORE_PATH_FILE=testclientsecretfile
+TS_JWKS_STORE_PUBLIC_PATH=/var/lib/sts/stsglobalresources/.well-known/jwks.json-c
+JWKS_AUTH_CONFIG_CACHE=false
+JWKS_AUTH_CONFIG_CACHE_MAX_ENTRIES=50
+JWKS_AUTH_CONFIG_CACHE_MAX_AGE=6000000
+JWKS_AUTH_CONFIG_RATE_LIMIT=false
+JWKS_AUTH_CONFIG_RATE_LIMIT_REQUESTS_PER_MINUTE=100
+JWKS_AUTH_CONFIG_TIMEOUT=300000

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nsshunt/stsconfig",
-  "version": "1.17.2",
+  "version": "1.20.0",
   "description": "",
   "main": "stsconfig.js",
   "dependencies": {

package/stsconfig-01.test.js

@@ -114,7 +114,7 @@ describe("Test implicit config settings", () =>
 
 	test('Checking default authentication service config', async () => 
 	{
-		expect.assertions(21);
+		expect.assertions(27);
 
 		process.env.STSENVFILE = './.env-test-file-1'; // Empty environment file
 		let goptions = require('./stsconfig.js').$options;
@@ -123,6 +123,8 @@ describe("Test implicit config settings", () =>
 		expect(goptions.ashostport).toEqual('3002');
 		expect(goptions.asport).toEqual('3002');
 		expect(goptions.asapiroot).toEqual('/stsauth/v1.0');
+		expect(goptions.asoauthapiroot).toEqual('/oauth2/v2.0');
+		expect(goptions.asadminapiroot).toEqual('/admin/v1.0');
 		expect(goptions.asprometheussupport).toEqual(true);
 		expect(goptions.asprometheusclusterport).toEqual('3012');
 		expect(goptions.asservicename).toEqual('STSAuth');
@@ -131,6 +133,10 @@ describe("Test implicit config settings", () =>
 		expect(goptions.aspublickeypath).toEqual('/var/lib/sts/stsglobalresources/keys/public.key');
 		expect(goptions.asapiidentifier).toEqual('https://stsmda.com.au/stsauthapi/v1.0/');
 		expect(goptions.asapiidentifierfile).toEqual(undefined);
+		expect(goptions.asoauthapiidentifier).toEqual('https://stsmda.com.au/stsauthoauthapi/v2.0/');
+		expect(goptions.asoauthapiidentifierfile).toEqual(undefined);
+		expect(goptions.asadminapiidentifier).toEqual('https://stsmda.com.au/stsauthadminapi/v1.0/');
+		expect(goptions.asadminapiidentifierfile).toEqual(undefined);
 		expect(goptions.asclientid).toEqual(undefined);
 		expect(goptions.asclientidfile).toEqual(undefined);
 		expect(goptions.asclientsecret).toEqual(undefined);
@@ -159,6 +165,29 @@ describe("Test implicit config settings", () =>
 		expect(goptions.trclientsecretfile).toEqual(undefined);
 	});
 
+	test('Checking default broker service config', async () => 
+	{
+		expect.assertions(14);
+
+		process.env.STSENVFILE = './.env-default'; // Empty environment file
+		let goptions = require('./stsconfig.js').$options;
+
+		expect(goptions.brokerendpoint).toEqual('http://localhost');
+		expect(goptions.brokerhostport).toEqual('3006');
+		expect(goptions.brokerport).toEqual('3006');
+		expect(goptions.brokerapiroot).toEqual('/stsbroker/v1.0');
+		expect(goptions.brokerprometheussupport).toEqual(true);
+		expect(goptions.brokerprometheusclusterport).toEqual('3016');
+		expect(goptions.brokerservicename).toEqual('STSBroker');
+		expect(goptions.brokerserviceversion).toEqual('1.0.0');
+		expect(goptions.brokerapiidentifier).toEqual(undefined);
+		expect(goptions.brokerapiidentifierfile).toEqual(undefined);
+		expect(goptions.brokerclientid).toEqual(undefined);
+		expect(goptions.brokerclientidfile).toEqual(undefined);
+		expect(goptions.brokerclientsecret).toEqual(undefined);
+		expect(goptions.brokerclientsecretfile).toEqual(undefined);
+	});
+
 	test('Checking default additional config items', async () => 
 	{
 		expect.assertions(22);
@@ -189,5 +218,24 @@ describe("Test implicit config settings", () =>
 		expect(goptions.httpsserverkeypath).toEqual('/var/lib/sts/stsglobalresources/keys/server.key');
 		expect(goptions.httpsservercertpath).toEqual('/var/lib/sts/stsglobalresources/keys/server.cert');
 	});
+
+	test('Checking JWKS config items', async () => 
+	{
+		expect.assertions(10);
+
+		process.env.STSENVFILE = './.env-default'; // Empty environment file
+		let goptions = require('./stsconfig.js').$options;
+
+		expect(goptions.tsjwkskeys).toEqual(3);
+		expect(goptions.tsjwksstorepath).toEqual('/var/lib/sts/stsglobalresources/.stsauthprivate/jwks-private.json');
+		expect(goptions.tsjwksstorepathfile).toEqual(undefined);
+		expect(goptions.tsjwksstorepublicpath).toEqual('/var/lib/sts/stsglobalresources/.well-known/jwks.json');
+		expect(goptions.jwksAuthConfigCache).toEqual(true);
+		expect(goptions.jwksAuthConfigCacheMaxEntries).toEqual(5);
+		expect(goptions.jwksAuthConfigCacheMaxAge).toEqual(600000);
+		expect(goptions.jwksAuthConfigRateLimit).toEqual(true);
+		expect(goptions.jwksAuthConfigRateLimitRequestsPerMinute).toEqual(10);
+		expect(goptions.jwksAuthConfigTimeout).toEqual(30000);
+	});
 });
 

package/stsconfig-02.test.js

@@ -114,7 +114,7 @@ describe("Test configured settings", () =>
 
 	test('Checking default authentication service config', async () => 
 	{
-		expect.assertions(21);
+		expect.assertions(27);
 
 		process.env.STSENVFILE = './.env-test-file-2'; // Empty environment file
 		let goptions = require('./stsconfig.js').$options;
@@ -122,7 +122,9 @@ describe("Test configured settings", () =>
 		expect(goptions.asendpoint).toEqual('http://localhost-c');
 		expect(goptions.ashostport).toEqual('30020');
 		expect(goptions.asport).toEqual('30020');
-		expect(goptions.asapiroot).toEqual('/stsauth/v1-c');
+		expect(goptions.asapiroot).toEqual('/stsauth/v1.0-c');
+		expect(goptions.asoauthapiroot).toEqual('/oauth2/v2.0-c');
+		expect(goptions.asadminapiroot).toEqual('/admin/v1.0-c');
 		expect(goptions.asprometheussupport).toEqual(false);
 		expect(goptions.asprometheusclusterport).toEqual('30120');
 		expect(goptions.asservicename).toEqual('STSAuth-c');
@@ -131,6 +133,10 @@ describe("Test configured settings", () =>
 		expect(goptions.aspublickeypath).toEqual('/var/lib/sts/stsglobalresources/keys/public.key-c');
 		expect(goptions.asapiidentifier).toEqual('testapiidentifierfilecontents');
 		expect(goptions.asapiidentifierfile).toEqual('testapiidentifierFile');
+		expect(goptions.asoauthapiidentifier).toEqual('testapiidentifierfilecontents');
+		expect(goptions.asoauthapiidentifierfile).toEqual('testapiidentifierFile');
+		expect(goptions.asadminapiidentifier).toEqual('testapiidentifierfilecontents');
+		expect(goptions.asadminapiidentifierfile).toEqual('testapiidentifierFile');
 		expect(goptions.asclientid).toEqual('testclientidfilecontents');
 		expect(goptions.asclientidfile).toEqual('testclientidfile'); // testclientidfile
 		expect(goptions.asclientsecret).toEqual('testclientsecretfilecontents');
@@ -159,6 +165,29 @@ describe("Test configured settings", () =>
 		expect(goptions.trclientsecretfile).toEqual('testclientsecretfile');
 	});
 
+	test('Checking default broker service config', async () => 
+	{
+		expect.assertions(14);
+
+		process.env.STSENVFILE = './.env-default'; // Empty environment file
+		let goptions = require('./stsconfig.js').$options;
+
+		expect(goptions.brokerendpoint).toEqual('http://localhost-c');
+		expect(goptions.brokerhostport).toEqual('3006-c');
+		expect(goptions.brokerport).toEqual('3006-c');
+		expect(goptions.brokerapiroot).toEqual('/stsbroker/v1.0-c');
+		expect(goptions.brokerprometheussupport).toEqual(false);
+		expect(goptions.brokerprometheusclusterport).toEqual('3016-c');
+		expect(goptions.brokerservicename).toEqual('STSBroker-c');
+		expect(goptions.brokerserviceversion).toEqual('1.0.0-c');
+		expect(goptions.brokerapiidentifier).toEqual('testapiidentifierfilecontents');
+		expect(goptions.brokerapiidentifierfile).toEqual('testapiidentifierFile');
+		expect(goptions.brokerclientid).toEqual('testclientidfilecontents');
+		expect(goptions.brokerclientidfile).toEqual('testclientidfile'); // testclientidfile
+		expect(goptions.brokerclientsecret).toEqual('testclientsecretfilecontents');
+		expect(goptions.brokerclientsecretfile).toEqual('testclientsecretfile');
+	});
+
 	test('Checking default additional config items', async () => 
 	{
 		expect.assertions(22);
@@ -189,5 +218,24 @@ describe("Test configured settings", () =>
 		expect(goptions.httpsserverkeypath).toEqual('/var/lib/sts/stsglobalresources/keys/server.key-c');
 		expect(goptions.httpsservercertpath).toEqual('/var/lib/sts/stsglobalresources/keys/server.cert-c');
 	});
+
+	test('Checking JWKS config items', async () => 
+	{
+		expect.assertions(10);
+
+		process.env.STSENVFILE = './.env-default'; // Empty environment file
+		let goptions = require('./stsconfig.js').$options;
+
+		expect(goptions.tsjwkskeys).toEqual(30);
+		expect(goptions.tsjwksstorepath).toEqual('testclientsecretfilecontents');
+		expect(goptions.tsjwksstorepathfile).toEqual('testclientsecretfile');
+		expect(goptions.tsjwksstorepublicpath).toEqual('/var/lib/sts/stsglobalresources/.well-known/jwks.json-c');
+		expect(goptions.jwksAuthConfigCache).toEqual(false);
+		expect(goptions.jwksAuthConfigCacheMaxEntries).toEqual(50);
+		expect(goptions.jwksAuthConfigCacheMaxAge).toEqual(6000000);
+		expect(goptions.jwksAuthConfigRateLimit).toEqual(false);
+		expect(goptions.jwksAuthConfigRateLimitRequestsPerMinute).toEqual(100);
+		expect(goptions.jwksAuthConfigTimeout).toEqual(300000);
+	});
 });
 

package/stsconfig-default.test.js

@@ -114,7 +114,7 @@ describe("Test explicit default config settings", () =>
 
 	test('Checking default authentication service config', async () => 
 	{
-		expect.assertions(21);
+		expect.assertions(27);
 
 		process.env.STSENVFILE = './.env-default'; // Empty environment file
 		let goptions = require('./stsconfig.js').$options;
@@ -122,7 +122,9 @@ describe("Test explicit default config settings", () =>
 		expect(goptions.asendpoint).toEqual('http://localhost');
 		expect(goptions.ashostport).toEqual('3002');
 		expect(goptions.asport).toEqual('3002');
-		expect(goptions.asapiroot).toEqual('/stsauth/v1');
+		expect(goptions.asapiroot).toEqual('/stsauth/v1.0');
+		expect(goptions.asoauthapiroot).toEqual('/oauth2/v2.0');
+		expect(goptions.asadminapiroot).toEqual('/admin/v1.0');
 		expect(goptions.asprometheussupport).toEqual(true);
 		expect(goptions.asprometheusclusterport).toEqual('3012');
 		expect(goptions.asservicename).toEqual('STSAuth');
@@ -131,6 +133,10 @@ describe("Test explicit default config settings", () =>
 		expect(goptions.aspublickeypath).toEqual('/var/lib/sts/stsglobalresources/keys/public.key');
 		expect(goptions.asapiidentifier).toEqual('https://stsmda.com.au/stsauthapi/v1.0/');
 		expect(goptions.asapiidentifierfile).toEqual(undefined);
+		expect(goptions.asoauthapiidentifier).toEqual('https://stsmda.com.au/stsauthoauthapi/v2.0/');
+		expect(goptions.asoauthapiidentifierfile).toEqual(undefined);
+		expect(goptions.asadminapiidentifier).toEqual('https://stsmda.com.au/stsauthadminapi/v1.0/');
+		expect(goptions.asadminapiidentifierfile).toEqual(undefined);
 		expect(goptions.asclientid).toEqual(undefined);
 		expect(goptions.asclientidfile).toEqual(undefined);
 		expect(goptions.asclientsecret).toEqual(undefined);
@@ -159,6 +165,29 @@ describe("Test explicit default config settings", () =>
 		expect(goptions.trclientsecretfile).toEqual(undefined);
 	});
 
+	test('Checking default broker service config', async () => 
+	{
+		expect.assertions(14);
+
+		process.env.STSENVFILE = './.env-default'; // Empty environment file
+		let goptions = require('./stsconfig.js').$options;
+
+		expect(goptions.brokerendpoint).toEqual('http://localhost');
+		expect(goptions.brokerhostport).toEqual('3006');
+		expect(goptions.brokerport).toEqual('3006');
+		expect(goptions.brokerapiroot).toEqual('/stsbroker/v1.0');
+		expect(goptions.brokerprometheussupport).toEqual(true);
+		expect(goptions.brokerprometheusclusterport).toEqual('3016');
+		expect(goptions.brokerservicename).toEqual('STSBroker');
+		expect(goptions.brokerserviceversion).toEqual('1.0.0');
+		expect(goptions.brokerapiidentifier).toEqual(undefined);
+		expect(goptions.brokerapiidentifierfile).toEqual(undefined);
+		expect(goptions.brokerclientid).toEqual(undefined);
+		expect(goptions.brokerclientidfile).toEqual(undefined);
+		expect(goptions.brokerclientsecret).toEqual(undefined);
+		expect(goptions.brokerclientsecretfile).toEqual(undefined);
+	});
+
 	test('Checking default additional config items', async () => 
 	{
 		expect.assertions(22);
@@ -189,5 +218,24 @@ describe("Test explicit default config settings", () =>
 		expect(goptions.httpsserverkeypath).toEqual('/var/lib/sts/stsglobalresources/keys/server.key');
 		expect(goptions.httpsservercertpath).toEqual('/var/lib/sts/stsglobalresources/keys/server.cert');
 	});
+
+	test('Checking JWKS config items', async () => 
+	{
+		expect.assertions(10);
+
+		process.env.STSENVFILE = './.env-default'; // Empty environment file
+		let goptions = require('./stsconfig.js').$options;
+
+		expect(goptions.tsjwkskeys).toEqual(3);
+		expect(goptions.tsjwksstorepath).toEqual('/var/lib/sts/stsglobalresources/.stsauthprivate/jwks-private.json');
+		expect(goptions.tsjwksstorepathfile).toEqual(undefined);
+		expect(goptions.tsjwksstorepublicpath).toEqual('/var/lib/sts/stsglobalresources/.well-known/jwks.json');
+		expect(goptions.jwksAuthConfigCache).toEqual(true);
+		expect(goptions.jwksAuthConfigCacheMaxEntries).toEqual(5);
+		expect(goptions.jwksAuthConfigCacheMaxAge).toEqual(600000);
+		expect(goptions.jwksAuthConfigRateLimit).toEqual(true);
+		expect(goptions.jwksAuthConfigRateLimitRequestsPerMinute).toEqual(10);
+		expect(goptions.jwksAuthConfigTimeout).toEqual(30000);
+	});
 });
 

package/stsconfig.js

@@ -163,11 +163,11 @@ const defconfig =
 	,ashostport: (process.env.AS_HOST_PORT === undefined ? "3002" : process.env.AS_HOST_PORT)
 	// Auth Server port (client port to access the service)
 	,asport: (process.env.AS_PORT === undefined ? "3002" : process.env.AS_PORT)
-	// Auth Server endpoint
+	// Auth Server API root.
 	,asapiroot: (process.env.AS_API_ROOT === undefined ? "/stsauth/v1.0" : process.env.AS_API_ROOT)
-	// Auth Server API Identifier.
+	// Auth Server OAuth2 API root.
 	,asoauthapiroot: (process.env.AS_OAUTH_API_ROOT === undefined ? "/oauth2/v2.0" : process.env.AS_OAUTH_API_ROOT)
-	// Auth Server Admin API Identifier.
+	// Auth Server Admin API root.
 	,asadminapiroot: (process.env.AS_ADMIN_API_ROOT === undefined ? "/admin/v1.0" : process.env.AS_ADMIN_API_ROOT)
 	// Auth Server API Identifier.
 	,asapiidentifier: (process.env.AS_API_IDENTIFIER === undefined ? 'https://stsmda.com.au/stsauthapi/v1.0/' : process.env.AS_API_IDENTIFIER)
@@ -214,7 +214,41 @@ const defconfig =
 	,asprivatekeypath: (process.env.AS_PRIVATE_KEY_PATH === undefined ? "/var/lib/sts/stsglobalresources/keys/private.key" : process.env.AS_PRIVATE_KEY_PATH)
 	// Auth Server - [DEPRECATED] Public Key (when using JWT)
 	,aspublickeypath: (process.env.AS_PUBLIC_KEY_PATH === undefined ? "/var/lib/sts/stsglobalresources/keys/public.key" : process.env.AS_PUBLIC_KEY_PATH)
-	
+
+	// STS Broker Server
+	// ---------------
+	// The STS broker server is a BFF service used for STS SPAs. The service will use 1st party secured cookies for session management.
+	// The service also provides proxy API access to other STS and/or external services.
+	//
+	// STSBroker Server endpoint
+	,brokerendpoint: (process.env.BROKER_ENDPOINT === undefined ? "http://localhost" : process.env.BROKER_ENDPOINT)
+	// STSBroker Server port (listen port for the service)
+	,brokerhostport: (process.env.BROKER_HOST_PORT === undefined ? "3006" : process.env.BROKER_HOST_PORT)
+	// STSBroker Server port (client port to access the service)
+	,brokerport: (process.env.BROKER_PORT === undefined ? "3006" : process.env.BROKER_PORT)
+	// STSBroker Server endpoint
+	,brokerapiroot: (process.env.BROKER_APIROOT === undefined ? "/stsbroker/v1.0" : process.env.BROKER_APIROOT)
+	// STSBroker API Identifier. This value will be used as the audience parameter on authorization calls (OAuth2 client credentials flow).
+	,brokerapiidentifier: process.env.BROKER_API_IDENTIFIER
+	// STSBroker API Identifier file. This value will be used as the audience parameter on authorization calls (OAuth2 client credentials flow).
+	,brokerapiidentifierfile: process.env.BROKER_API_IDENTIFIER_FILE
+	// STSBroker Prometheus metric support
+	,brokerprometheussupport: (process.env.BROKER_PROM_SUPPORT === undefined ? true : (process.env.BROKER_PROM_SUPPORT === "true" ? true : false))
+	// STSBroker Cluster Server port (port used for cluster prometheus scrapes). Service will listen on this port at mount point /metrics
+	,brokerprometheusclusterport: (process.env.BROKER_PROM_CLUSTER_PORT === undefined ? "3016" : process.env.BROKER_PROM_CLUSTER_PORT)
+	// STSBroker Service Name
+	,brokerservicename: (process.env.BROKER_SERVICE_NAME === undefined ? "STSBroker" : process.env.BROKER_SERVICE_NAME)
+	// STSBroker Service Version
+	,brokerserviceversion: (process.env.BROKER_SERVICE_VERSION === undefined ? "1.0.0" : process.env.BROKER_SERVICE_VERSION)
+	// STSBroker Server client ID. Used for oauth2 client credentials flow.
+	,brokerclientid: process.env.BROKER_CLIENT_ID
+	// STSBroker Server client ID file. Used for oauth2 client credentials flow.
+	,brokerclientidfile: process.env.BROKER_CLIENT_ID_FILE
+	// STSBroker Server client secret. Used for oauth2 client credentials flow.
+	,brokerclientsecret: process.env.BROKER_CLIENT_SECRET
+	// STSBroker Server client secret file. Used for oauth2 client credentials flow.
+	,brokerclientsecretfile: process.env.BROKER_CLIENT_SECRET_FILE
+
 	// STS Test Runner Prometheus metric support
 	,trprometheussupport: (process.env.TR_PROM_SUPPORT === undefined ? true : (process.env.TR_PROM_SUPPORT === "true" ? true : false ))
 	// STS Test Runner Cluster Server port (port used for cluster prometheus scrapes)
@@ -355,6 +389,26 @@ const defconfig =
 	,tsjwksstorepathfile: process.env.TS_JWKS_STORE_PATH_FILE
 	// File path for JWKS public store data. This file will contain only the public signing keys for the JWKS store.
 	,tsjwksstorepublicpath: (process.env.TS_JWKS_STORE_PUBLIC_PATH === undefined ? "/var/lib/sts/stsglobalresources/.well-known/jwks.json" : process.env.TS_JWKS_STORE_PUBLIC_PATH)
+
+	// JWKS Authentication Configuration Settings
+	// Ref: https://github.com/auth0/node-jwks-rsa
+	// Enables a LRU cache. Ref: https://github.com/auth0/node-jwks-rsa#caching
+	,jwksAuthConfigCache: (process.env.JWKS_AUTH_CONFIG_CACHE === undefined ? true : (process.env.JWKS_AUTH_CONFIG_CACHE === "true" ? true : false ))
+
+	// Maximum number of LRU cache entries. Ref: https://github.com/auth0/node-jwks-rsa#caching
+	,jwksAuthConfigCacheMaxEntries: (process.env.JWKS_AUTH_CONFIG_CACHE_MAX_ENTRIES === undefined ? 5 : parseInt(process.env.JWKS_AUTH_CONFIG_CACHE_MAX_ENTRIES))
+
+	// Maximum age of LRU cache entries. Ref: https://github.com/auth0/node-jwks-rsa#caching
+	,jwksAuthConfigCacheMaxAge: (process.env.JWKS_AUTH_CONFIG_CACHE_MAX_AGE === undefined ? 600000 : parseInt(process.env.JWKS_AUTH_CONFIG_CACHE_MAX_AGE))
+
+	// Enforce rate limiting for jwks public endpoint query. Ref: https://github.com/auth0/node-jwks-rsa#rate-limiting
+	,jwksAuthConfigRateLimit: (process.env.JWKS_AUTH_CONFIG_RATE_LIMIT === undefined ? true : (process.env.JWKS_AUTH_CONFIG_RATE_LIMIT === "true" ? true : false ))
+
+	// Enforce rate limiting maximum number of requests per minute. Ref: https://github.com/auth0/node-jwks-rsa#rate-limiting
+	,jwksAuthConfigRateLimitRequestsPerMinute: (process.env.JWKS_AUTH_CONFIG_RATE_LIMIT_REQUESTS_PER_MINUTE === undefined ? 10 : parseInt(process.env.JWKS_AUTH_CONFIG_RATE_LIMIT_REQUESTS_PER_MINUTE))
+
+	// Timeout for the public endpoint query. Note: This will be ignored if an http/https agent is specified.
+	,jwksAuthConfigTimeout: (process.env.JWKS_AUTH_CONFIG_TIMEOUT === undefined ? 30000 : parseInt(process.env.JWKS_AUTH_CONFIG_TIMEOUT))
 }
 
 const ReadFile = (passwordFile) => {
@@ -374,18 +428,23 @@ const fileconfig = [
 	{ fileprop: 'dbpasswordfile', prop: 'dbpassword' },
 	// API identifier file processing
 	{ fileprop: 'asapiidentifierfile', prop: 'asapiidentifier' },
+	{ fileprop: 'asoauthapiidentifierfile', prop: 'asoauthapiidentifier' },
+	{ fileprop: 'asadminapiidentifierfile', prop: 'asadminapiidentifier' },
 	{ fileprop: 'rest01apiidentifierfile', prop: 'rest01apiidentifier' },
+	{ fileprop: 'brokerapiidentifierfile', prop: 'brokerapiidentifier' },
 	{ fileprop: 'toapiidentifierfile', prop: 'toapiidentifier' },
 	{ fileprop: 'imapiidentifierfile', prop: 'imapiidentifier' },
 	// Client ID file processing
 	{ fileprop: 'asclientidfile', prop: 'asclientid' },
 	{ fileprop: 'rest01clientidfile', prop: 'rest01clientid' },
+	{ fileprop: 'brokerclientidfile', prop: 'brokerclientid' },
 	{ fileprop: 'toclientidfile', prop: 'toclientid' },
 	{ fileprop: 'imclientidfile', prop: 'imclientid' },
 	{ fileprop: 'trclientidfile', prop: 'trclientid' },
 	// Client secret file processing
 	{ fileprop: 'asclientsecretfile', prop: 'asclientsecret' },
 	{ fileprop: 'rest01clientsecretfile', prop: 'rest01clientsecret' },
+	{ fileprop: 'brokerclientsecretfile', prop: 'brokerclientsecret' },
 	{ fileprop: 'toclientsecretfile', prop: 'toclientsecret' },
 	{ fileprop: 'imclientsecretfile', prop: 'imclientsecret' },
 	{ fileprop: 'trclientsecretfile', prop: 'trclientsecret' },