Merge branch 'RESTAPI-fix-documentation-issues' into 'master'

Allow multiple OIDC signature type See merge request firecrest/firecrest!301
eth-cscs · May 23, 2024 · c6199e1 · c6199e1
2 parents ed52231 + 3714dfd
commit c6199e1
Show file tree

Hide file tree

Showing 15 changed files with 181 additions and 117 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -15,15 +15,15 @@
                 "PYTHONPATH": "${workspaceFolder}/src/common",
                 "FLASK_APP": "tasks:app",
                 "FLASK_DEBUG": "1",
-                "F7T_REALM_RSA_TYPE":"RS256",
+                "F7T_AUTH_ALGORITHMS":"RS256",
                 "F7T_LOG_PATH":"${workspaceFolder}/logs/",
                 "F7T_PERSIST_HOST":"localhost",
                 "F7T_PERSIST_PORT":"6379",
                 "F7T_PERSIST_PWD":"rediS2200",
                 "F7T_TASKS_PORT":"5003",
                 "F7T_COMPUTE_TASK_EXP_TIME":"86400",
                 "F7T_STORAGE_TASK_EXP_TIME":"2678400",
-                "F7T_REALM_RSA_PUBLIC_KEY":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB"
+                "F7T_AUTH_PUBLIC_KEYS":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB"
 
             },
             "args": [
@@ -46,15 +46,15 @@
                 "F7T_SYSTEMS_PUBLIC":"cluster;cluster",
                 "F7T_STATUS_SERVICES":"certificator;utilities;compute;tasks;storage;reservations",
                 "F7T_STATUS_SYSTEMS":"192.168.220.12:22;192.168.220.12:22",
-                "F7T_REALM_RSA_TYPE":"RS256",
+                "F7T_AUTH_ALGORITHMS":"RS256",
                 "F7T_LOG_PATH":"${workspaceFolder}/logs/",
                 "F7T_PERSISTENCE_IP":"localhost",
                 "F7T_PERSIST_PORT":"6379",
                 "F7T_PERSIST_PWD":"rediS2200",
                 "F7T_TASKS_PORT":"5003",
                 "F7T_COMPUTE_TASK_EXP_TIME":"86400",
                 "F7T_STORAGE_TASK_EXP_TIME":"2678400",
-                "F7T_REALM_RSA_PUBLIC_KEY":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB"
+                "F7T_AUTH_PUBLIC_KEYS":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB"
 
             },
             "args": [

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.16.1]
+
+### Added
+
+- Support for multiple JWT signature algorithms
+
+### Changed
+
+- Variable `F7T_REALM_RSA_PUBLIC_KEYS` changed to `F7T_AUTH_PUBLIC_KEYS` 
+- Variable `F7T_REALM_RSA_TYPE_` changed to `F7T_AUTH_ALGORITHMS` 
+
+
+### Fixed
+
 ## [1.16.0]
 
 ### Added

diff --git a/deploy/demo/common/common.env b/deploy/demo/common/common.env
@@ -5,16 +5,16 @@
 # Authorization:  JWT token as generated by Keycloak: {"Authorization:", "Bearer fjfk..."}
 F7T_AUTH_HEADER_NAME=Authorization
 # If F7T_AUTH_HEADER_NAME = Authorization, it can also check REALM_RSA_PUBLIC_KEY: RSA key from KeyCloak Realm which signs token.
-# F7T_REALM_RSA_PUBLIC_KEY="MII....QAB"
+# F7T_AUTH_PUBLIC_KEYS="MII....QAB"
 # use 1 line without headers ("-----BEGIN PUBLIC KEY-----", "-----END PUBLIC KEY-----")
-F7T_REALM_RSA_PUBLIC_KEY='MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB'
+F7T_AUTH_PUBLIC_KEYS='MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB'
 #kid: "fVc6h439Xv...."
 F7T_AUTH_TOKEN_ISSUER='http://localhost:8080/auth/realms/kcrealm'
 # specify Audience established by Keycloak, leave empty to skip verification
 F7T_AUTH_TOKEN_AUD=''
 # Keycloak scope for clients:
 F7T_AUTH_REQUIRED_SCOPE='firecrest'
-F7T_REALM_RSA_TYPE=RS256
+F7T_AUTH_ALGORITHMS=RS256
 # AUTHENTICATION ROLE for FirecREST Service Accounts
 F7T_AUTH_ROLE='firecrest-sa'
 # DEBUG FLAG

diff --git a/deploy/demo/source/kong/update_kong_config.sh b/deploy/demo/source/kong/update_kong_config.sh
@@ -19,7 +19,7 @@ echo "F7T_HTTP_SCHEMA: $F7T_HTTP_SCHEMA"
 
 # use '#' to separate string because '/' and ':' are valid on URLs
 sed -e 's#F7T_AUTH_TOKEN_ISSUER#'${F7T_AUTH_TOKEN_ISSUER}'#' \
-    -e 's#F7T_REALM_RSA_PUBLIC_KEY#'${F7T_REALM_RSA_PUBLIC_KEY}'#' \
+    -e 's#F7T_AUTH_PUBLIC_KEYS#'${F7T_AUTH_PUBLIC_KEYS}'#' \
     -e 's#F7T_COMPUTE_HOST#'${F7T_COMPUTE_HOST}'#' \
     -e 's#F7T_COMPUTE_PORT#'${F7T_COMPUTE_PORT}'#' \
     -e 's#F7T_STATUS_HOST#'${F7T_STATUS_HOST}'#' \

diff --git a/deploy/k8s/config/templates/_helpers.tpl b/deploy/k8s/config/templates/_helpers.tpl
@@ -1,15 +1,15 @@
 {{- define "list.listPubKeys" -}}
 {{- $map := dict }}
 {{- range .Values.global.auth }}
-{{- $_ := set $map .F7T_AUTH_REALM_PUBKEY ""}}
+{{- $_ := set $map .F7T_AUTH_PUBKEY ""}}
 {{- end }}
 {{- keys $map | join ";" }}
 {{- end }}
 
 {{- define "list.listPubKeyTypes" -}}
 {{- $map := dict }}
 {{- range .Values.global.auth }}
-{{- $_ := set $map .F7T_AUTH_REALM_TYPE ""}}
+{{- $_ := set $map .F7T_AUTH_ALGORITHM ""}}
 {{- end }}
 {{- keys $map | join ";" }}
 {{- end }}
diff --git a/deploy/k8s/config/templates/cm.common.yaml b/deploy/k8s/config/templates/cm.common.yaml
@@ -26,8 +26,8 @@ data:
   F7T_LOG_TYPE: "stdout"
   F7T_GUNICORN_LOG: ""
   F7T_OBJECT_STORAGE: "{{ .Values.F7T_OBJECT_STORAGE }}"
-  F7T_REALM_RSA_PUBLIC_KEY: '{{ include "list.listPubKeys" . }}'
-  F7T_REALM_RSA_TYPE: '{{ include "list.listPubKeyTypes" . }}'
+  F7T_AUTH_PUBLIC_KEYS: '{{ include "list.listPubKeys" . }}'
+  F7T_AUTH_ALGORITHMS: '{{ include "list.listPubKeyTypes" . }}'
   F7T_SSH_CERTIFICATE_WRAPPER_ENABLED: "{{ .Values.F7T_SSH_CERTIFICATE_WRAPPER_ENABLED }}"
   F7T_SSL_ENABLED: "{{ .Values.F7T_SSL_ENABLED }}"
   F7T_SSL_CRT: "{{ .Values.F7T_SSL_CRT }}"

diff --git a/deploy/k8s/kong/templates/cm.kong.yaml b/deploy/k8s/kong/templates/cm.kong.yaml
@@ -51,8 +51,8 @@ items:
       {{- range .Values.global.auth }}
       - jwt_secrets:
         - key: "{{ .F7T_AUTH_ISSUER }}"
-          algorithm: "{{ .F7T_AUTH_REALM_TYPE }}"
-          rsa_public_key: "-----BEGIN PUBLIC KEY-----\n{{ .F7T_AUTH_REALM_PUBKEY }}\n-----END PUBLIC KEY-----"
+          algorithm: "{{ .F7T_AUTH_ALGORITHM }}"
+          rsa_public_key: "-----BEGIN PUBLIC KEY-----\n{{ .F7T_AUTH_PUBKEY }}\n-----END PUBLIC KEY-----"
         username: "{{ .username }}"
       {{- end }}
       

diff --git a/deploy/k8s/values-dev.yaml b/deploy/k8s/values-dev.yaml
@@ -99,5 +99,5 @@ global:
   auth:
     - username: kc-demo
       F7T_AUTH_ISSUER: "http://svc-keycloak:8080/auth/realms/kcrealm"
-      F7T_AUTH_REALM_PUBKEY: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB'
-      F7T_AUTH_REALM_TYPE: "RS256"
+      F7T_AUTH_PUBKEY: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB'
+      F7T_AUTH_ALGORITHM: "RS256"
diff --git a/deploy/test-build/environment/common.env b/deploy/test-build/environment/common.env
@@ -7,14 +7,14 @@ F7T_AUTH_HEADER_NAME=Authorization
 # If AUTH_HEADER_NAME = Authorization, it can also check REALM_RSA_PUBLIC_KEY: RSA key from KeyCloak Realm which signs token.
 # REALM_RSA_PUBLIC_KEY="MII....QAB"
 # use 1 line without headers ("-----BEGIN PUBLIC KEY-----", "-----END PUBLIC KEY-----")
-F7T_REALM_RSA_PUBLIC_KEY=
+F7T_AUTH_PUBLIC_KEYS=
 #kid: "fVc6h439Xv...."
 F7T_AUTH_TOKEN_ISSUER=''
 # specify Audience established by Keycloak, leave empty to skip verification
 F7T_AUTH_TOKEN_AUD=''
 # Keycloak scope for clients:
 F7T_AUTH_REQUIRED_SCOPE=''
-F7T_REALM_RSA_TYPE=RS256
+F7T_AUTH_ALGORITHMS=RS256
 # AUTHENTICATION ROLE for FirecREST Service Accounts
 F7T_AUTH_ROLE=''
 # DEBUG FLAG

diff --git a/doc/configuration.md b/doc/configuration.md
@@ -34,8 +34,8 @@ The most complete way of installing is to setup 3 hosts:
 
 | **Name** | **Needs to be configured?** | **Default value** | **Definition** | **Hosts where it's used** | **Change from this version** | 
 | ------ | -----------  | ------ | ----- | ---- | ----------------- |
-|`F7T_REALM_RSA_PUBLIC_KEY`      | **YES** | `''`  | Value of [OIDC/OAuth2 Server Public Client Keys](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1). This is the public key used for the Identity Provider (IdP) to sign the [JWT Access Token](https://jwt.io/introduction). If there are more than one IdP, list the public keys in a semicolon separated list | `Backend`, `Certificator`, `Gateway` | |
-|`F7T_REALM_RSA_TYPE`            | **YES** | `''`  | Value of [cryptographic algorithm used to sign JWT](https://datatracker.ietf.org/doc/html/rfc7518#section-3). Values are found in the `alg` part of the header of the JWT (`"alg": "RS256"`, `"alg": "HS256"`, etc). If there are more than one IdP, list algorithms in a semicolon separated list following the order of the keys in `F7T_REALM_RSA_PUBLIC_KEY` | `Backend`, `Certificator`, `Gateway` | |
+|`F7T_AUTH_PUBLIC_KEYS`      | **YES** | `''`  | Value of [OIDC/OAuth2 Server Public Client Keys](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1). This is the public key used for the Identity Provider (IdP) to sign the [JWT Access Token](https://jwt.io/introduction). If there are more than one IdP, list the public keys in a semicolon separated list | `Backend`, `Certificator`, `Gateway` | |
+|`F7T_AUTH_ALGORITHMS`            | **YES** | `'RS256'`  | Value of [cryptographic algorithm used to sign JWT](https://datatracker.ietf.org/doc/html/rfc7518#section-3). Values are found in the `alg` part of the header of the JWT (`"alg": "RS256"`, `"alg": "HS256"`, etc). If there are more than one IdP, list algorithms in a semicolon separated list following the order of the keys in `F7T_AUTH_PUBLIC_KEYS` | `Backend`, `Certificator`, `Gateway` | |
 |`F7T_SYSTEMS_PUBLIC_NAME`            | **YES** | `''`  | Public name(s) of the systems/HPC clusters interfaced by FirecREST. This name is a "familiar" name for users/clients. If more than one system is interfaced by FirecREST, then set this value with a semicolon separated list of names | `Backend` | Replaces `F7T_SYSTEMS_PUBLIC` |
 |`F7T_SYSTEMS_INTERNAL_ADDR`  | **YES** | `''`  | Internal socket address  (DNS or IP, and SSH port), in the form `<DNS_or_IP>:<SSH_port>`, of the host used for SSH connection and command execution in relative order of `F7T_SYSTEMS_PUBLIC_NAME` (example: `192.168.220.12:22`, `cluster01.svc.com:22;cluster02.svc.com:22`). This is usually a **"login node"** of the HPC system| `Backend` | New on this version |
 |`F7T_STATUS_SERVICES`           | **YES** | `''`  | Semicolon separated list of FirecREST services to report status (example: `compute;storage;utilities`) |  `Backend` |
@@ -95,6 +95,7 @@ The most complete way of installing is to setup 3 hosts:
 |`F7T_SPANK_PLUGIN_OPTION` | only if `F7T_SPANK_PLUGIN_ENABLED=True` | `--nohome`| Name of the option to use in the workload manager command. If there is more than one system configured, there should be a semicolon separated list in relative order to `F7T_SYSTEMS_PUBLIC_NAME` values |  `Backend`|
 |`F7T_COMPUTE_SCHEDULER`  | NO | `'Slurm'`| Set to the name of the of the Workload Manager scheduler adapter class. By default it can be found in `/src/common/schedulers` | `Backend`|
 |`F7T_SSH_CERTIFICATE_WRAPPER_ENABLED`  | NO | `False`| If set to `True` it enables FirecREST to send an SSH Certificate as command for execution. Requires a serverside [SSH ForceCommand](https://shaner.life/the-little-known-ssh-forcecommand/) wrapper | `Backend`| Replaces `F7T_SSH_CERTIFICATE_WRAPPER` |
+|`F7T_CA_KEY_PATH`| NO | `'/ca-key'` | Set the absolute path in the `certificator` container where the Private Key for creating SSH certificates is stored | `Certificator`| 
 |`F7T_PRIV_USER_KEY_PATH`| NO | `'/user-key'` | Set the absolute path in the containers on `Backend` where the user Public Key is stored in order to create SSH certificates |  `Backend` |
 |`F7T_PUB_USER_KEY_PATH`| NO | `'/user-key.pub'` | Set the absolute path in the containers on `Backend` where the user's Private Key is stored in order to create SSH certificates | `Certificator` |
 |`F7T_SYSTEMS_INTERNAL_STATUS_ADDR`   | NO | the value on `F7T_SYSTEMS_INTERNAL_ADDR` | Internal socket address  (DNS or IP, and SSH port) of the host used for **testing system availability via SSH**  in the form `<DNS_or_IP>:<SSH_port>` in relative order of `F7T_SYSTEMS_PUBLIC_NAME` (example: `192.168.220.12:22`, `cluster01.svc.com:22;cluster02.svc.com:22`). **Note**: Set this variable only if you use a dedicated server for  `status` microservice | `Backend` | Replaces `F7T_STATUS_SYSTEMS` |

diff --git a/doc/install.md b/doc/install.md
@@ -75,7 +75,7 @@ This will have to match FirecREST's environment variables: `F7T_AUTH_ROLE` and `
 
 If the variable `F7T_AUTH_REQUIRED_SCOPE` is set, FirecREST checks the field is present on the JWT and that it matches. If empty or undefined, no check is performed.
 
-The environment variable `F7T_REALM_RSA_PUBLIC_KEY` holds the RSA public key from the OIDC provider.
+The environment variable `F7T_AUTH_PUBLIC_KEYS` holds the RSA public key from the OIDC provider.
 It is used to validate JWT tokens included on requests (via 'Authorization' header). If empty, no verification is made on the token, which is only useful for debugging. Additionally, if not running in debug mode (`F7T_DEBUG_MODE`) microservices will log a warning. As some systems are tricky with variables containing multiple lines, define the variable using only one line without headers (`-----BEGIN PUBLIC KEY-----`, `-----END PUBLIC KEY-----`), they will be added by F7T.
 
 For Keycloak, the signing public key and the endpoints can be retrieved from https://KEYCLOAK_URL/auth/realms/REALM_NAME/
@@ -256,7 +256,7 @@ The public key (`user-key.pub`) is only required by Certificator and must be in
 
 The following variables are not required by every microservice, but for simplicity they can be put together in the same file:
 - `F7T_CERTIFICATOR_HOST`, `F7T_COMPUTE_HOST`, `F7T_RESERVATIONS_HOST`, `F7T_STORAGE_HOST`, `F7T_TASKS_HOST`, `F7T_UTILITIES_HOST`: internal HostName, DNS, IP (not exposed to users) used by microservices to communicate between them.
-- `F7T_REALM_RSA_PUBLIC_KEY`, if defined also requires: `F7T_REALM_RSA_TYPE`
+- `F7T_AUTH_PUBLIC_KEYS`, if defined also requires: `F7T_AUTH_ALGORITHMS`
 - `F7T_SYSTEMS_PUBLIC_NAME`: list of systems names, as seen by users.
 
 There are additional options at `doc/configuration.md`