diff --git a/platform/core-concepts.mdx b/platform/core-concepts.mdx index 35a499b4..7d027f17 100644 --- a/platform/core-concepts.mdx +++ b/platform/core-concepts.mdx @@ -1,5 +1,5 @@ --- -updated_at: July 28, 2025 +updated_at: September 08, 2025 title: Core Concepts html_title: Smallstep Core Concepts description: High-level overview of Smallstep platform components and concepts, and how they work together to protect your resources and provide strong assurance of device identity. @@ -340,7 +340,7 @@ sequenceDiagram The resource is configured to trust SSO for login. The Single Sign-on (SSO) provider (aka Identity Provider or IdP) is configured to require a hardware-bound device certificate at login. -An important nuance to this pattern is that the IdP only verifies Device Identity during sign-on as a condition of issuing a *bearer token*. The bearer token—not the device certificate—is then used to access the Resource. Bearer tokens can’t be device-bound. They can be exfiltrated **and used on different devices. Key protection is hardware bound **at login, but it is software protected at access time. +An important nuance to this pattern is that the IdP only verifies Device Identity during sign-on as a condition of issuing a *bearer token*. The bearer token—not the device certificate—is then used to access the Resource. Bearer tokens can’t be device-bound. They can be exfiltrated and used on different devices. Key protection is hardware bound at login, but it is software protected at access time. This pattern can be combined with the middlebox pattern, if the middlebox is configured to authenticate the IdP-issued bearer token. diff --git a/tutorials/wifi-authentication-webhooks.mdx b/tutorials/wifi-authentication-webhooks.mdx index 0dcdcbc9..ee430531 100644 --- a/tutorials/wifi-authentication-webhooks.mdx +++ b/tutorials/wifi-authentication-webhooks.mdx @@ -30,7 +30,7 @@ Your webhook server should expect the following request format: - Headers: - `X-Smallstep-Webhook-ID:` A UUID for the RADIUS webhook making the request - `X-Smallstep-Signature:` Hex‑encoded HMAC‑SHA256 of the raw request body using the webhook’s signing secret - - `Authorization:` Optional. Either "Bearer " or HTTP Basic auth, if configured. + - `Authorization:` Optional. Either "Bearer <token>" or HTTP Basic auth, if configured. - Body (JSON): - `timestamp`: The RFC8222 timestamp of the request - `x509Certificate`: A JSON representation of the certificate that follows [this data structure](https://github.com/smallstep/crypto/blob/master/x509util/certificate.go#L17). Additionally, there is a `raw` field containing a base64-encoded DER representation of the client certificate.