Skip to content

e-gov/TARA-Login

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TARA login service

Overview

TARA login service is a webapp that integrates with the Ory Hydra OIDC server implementation. TARA login service provides login and consent flow implementations. Apache Ignite is used for session persistence between requests.

The webapp provides implementation for following authentication methods:

  • Estonian ID-card
  • Estonian Mobile-ID
  • Estonian Smart-ID
  • Estonian EIDAS

Building the webapp

Requirements:

  • Java (JDK 11+) runtime is required to build and run the webapp.
  • Docker is required to package images, fonts, CSS and JavaScript using npm and gulp.
  • Maven is required to build and test the software.

Building the webapp:

To build the software, execute the following commands in the current (TARA-Login) directory:

docker run --rm -v "${PWD}:/data" -w /data/disain -u $(id -u):$(id -g) node:14 sh -c 'npm install && node_modules/.bin/gulp build'
./mvnw clean package

For Git Bash on Windows:

MSYS_NO_PATHCONV=1 docker run --rm -v "${PWD}:/data" -w /data/disain node:14 sh -c 'npm install && node_modules/.bin/gulp build'
./mvnw clean package

You can find the compiled WAR archive in the target/ directory.

Deploying the webapp

TARA login service is distributed as a WAR archive that can be deployed to a web server that supports Java Servlets (ie Apache Tomcat).

Example: to deploy the webapp to a standalone Tomcat server

  1. Add the tara-login-server-*.war file to Tomcat's webapp directory
  2. Set the location of the configuration file in Tomcat's setenv.sh (see chapter Configuration properties for further details)
    export JAVA_OPTS="$JAVA_OPTS -Dspring.config.additional-location=file:/etc/tara-login-server/application.yml"
    

1 TARA login service configuration properties

Parameter Mandatory Description, example
tara.default-locale No Locale that is used by default. Default et
tara.default-authentication-methods No default authentication methods. Example ID_CARD, MOBILE_ID, SMART_ID, EIDAS
tara.error-report-address Yes E-mail address where users can send error reports. Example [email protected]
tara.auth-flow-timeout Yes Duration till authentication flow timeout. Example 1800s (30min)

1.1 Integration with Ory Hydra service

Parameter Mandatory Description, example
tara.hydra-service.login-url Yes Url to initialize Ory Hydra OIDC server login process
tara.hydra-service.accept-login-url Yes Url to accept Ory Hydra OIDC server login request
tara.hydra-service.reject-login-url Yes Url to reject Ory Hydra OIDC server login request
tara.hydra-service.accept-consent-url Yes Url to accept Ory Hydra OIDC server consent
tara.hydra-service.reject-consent-url Yes Url to reject Ory Hydra OIDC server consent
tara.hydra-service.health-url Yes Ory Hydra service health url
tara.hydra-service.request-timeout-in-seconds No Ory Hydra service request timeout
tara.hydra-service.max-connections-total No Max connection pool size for hydra requests. Defaults to 50
govsso.hydra-service.login-url No Url for requesting GovSSO Ory Hydra login request info
govsso.hydra-service.client-id No TARA client_id that GovSSO uses

1.2 TLS configuration for outbound connections

Parameter Mandatory Description, example
tara.tls.trust-store-location Yes Location of the truststore. Path to the location of the trusted CA certificates. In case the certificate files are to be loaded from classpath, this path should be prefixed with classpath: (example: classpath:tls-truststore.p12). In case the certificate files are to be loaded from disk, this path should be prefixed with file: (exaple file:/etc/tara/tls-truststore.p12).
tara.tls.trust-store-password Yes Truststore password
tara.tls.trust-store-type No Truststore type (jks, pkcs12). Defaults to PKCS12 if not specified
tara.tls.default-protocol No Default protocol (see the list of supported values). Defaults to TLS if not specified
tara.tls.enabled-protocols No List of enabled protocols (see the list of standard names for protocols). Defaults to JVM specific configuration if not specified
tara.tls.enabled-cipher-suites No List of enabled cipher suites (see the list of standard names for cipher suites). Defaults to JVM specific configuration if not specified

1.3 Mobile-ID auth method

Table 1.3.1 - Enabling Mobile-ID authentication

Parameter Mandatory Description, example
tara.auth-methods.mobile-id.enabled No Enable or disable Mobile-ID authentication method. Default false

Table 1.3.2 - Assignig the Level of assurance to authentication method

Parameter Mandatory Description, example
tara.auth-methods.mobile-id.level-of-assurance Yes Level of assurance of this auth method. Example HIGH

Table 1.3.3 - Integration with the SK MID service

Parameter Mandatory Description, example
tara.auth-methods.mobile-id.host-url Yes Mobile-ID authentication service url
tara.auth-methods.mobile-id.truststore-path Yes Path to truststore file. Example. file:src/test/resources/mobileid-truststore-test.p12
tara.auth-methods.mobile-id.truststore-type Yes Type of the truststore from truststore-path. Example. PKCS12
tara.auth-methods.mobile-id.truststore-password Yes Password of the truststore from truststore-path. Example changeit
tara.auth-methods.mobile-id.relying-party-uuid Yes UUID from mobile id contract
tara.auth-methods.mobile-id.relying-party-name Yes Name from mobile id contract
tara.auth-methods.mobile-id.display-text Yes Text to be displayed in user's mobile device. Used as a fallback in case the OIDC client has not registered a short name.
tara.auth-methods.mobile-id.hash-type Yes Type of authentication hash. Possible values SHA256, SHA384, SHA512
tara.auth-methods.mobile-id.connection-timeout-milliseconds No Connection timeout of the MID authentication initiation request. Default 5000
tara.auth-methods.mobile-id.read-timeout-milliseconds No Read timeout used for MID requests. Must be at least 5 seconds longer than MID long polling timeout. Default 35000
tara.auth-methods.mobile-id.long-polling-timeout-seconds No Long polling timeout period used for MID session status requests. Default 30
tara.auth-methods.mobile-id.interval-between-session-status-queries-in-milliseconds No Interval between Mobile-ID status polling queries (from UI to tara-login-service). Default 5000
tara.auth-methods.mobile-id.delay-initiate-mid-session-in-milliseconds No Delay before initiating Mobile-ID session after verification code is displayed. Default 0
tara.auth-methods.mobile-id.delay-status-polling-start-in-milliseconds No Delay before long polling. Default 500

1.4 Smart-ID auth method

Table 1.4.1 - Enabling Smart-ID authentication

Parameter Mandatory Description, example
tara.auth-methods.smart-id.enabled No Enable or disable Smart-ID authentication method. Default false

Table 1.4.2 - Assignig the Level of assurance to authentication method

Parameter Mandatory Description, example
tara.auth-methods.smart-id.level-of-assurance Yes Level of assurance of this auth method. Example HIGH

Table 1.4.3 - Integration with the SK SID service

Parameter Mandatory Description, example
tara.auth-methods.smart-id.host-url Yes Smart-ID authentication service url
tara.auth-methods.smart-id.truststore-path Yes Path to truststore file. Example. file:src/test/resources/ocsp/sid-truststore.p12
tara.auth-methods.smart-id.truststore-type Yes Type of the truststore from truststore-path. Example. PKCS12
tara.auth-methods.smart-id.truststore-password Yes Password of the truststore from truststore-path. Example changeit
tara.auth-methods.smart-id.relying-party-uuid Yes UUID from RIA smart id contract
tara.auth-methods.smart-id.relying-party-name Yes Name from RIA smart id contract
tara.auth-methods.smart-id.display-text Yes Text to be displayed in user's mobile device. Used as a fallback in case the OIDC client has not registered a short name.
tara.auth-methods.smart-id.hash-type No Type of authentication hash. Possible values SHA256, SHA384, SHA512 Default SHA512
tara.auth-methods.smart-id.connection-timeout-milliseconds No Connection timeout of the SID session status requests. Default 5000
tara.auth-methods.smart-id.read-timeout-milliseconds No Read timeout used for SID requests. Must be at least 5 seconds longer than SID long polling timeout. Default 35000
tara.auth-methods.smart-id.long-polling-timeout-milliseconds No Long polling timeout period used for SID session status requests. Default 30000
tara.auth-methods.smart-id.delay-initiate-sid-session-in-milliseconds No Delay before initiating Smart-ID session after verification code is displayed. Default 3000
tara.auth-methods.smart-id.delay-status-polling-start-in-milliseconds No Delay before long polling. Default 500

1.5 ID-card auth method

ID-card authentication has been implemented using Web eID, which consists of a JavaScript library, a browser plugin and the native application to access the ID-card.

Table 1.5.1 - Enabling ID-card authentication

Parameter Mandatory Description, example
tara.auth-methods.id-card.enabled No Enable or disable ID-card authentication method. Default false
tara.auth-methods.id-card.site-origin Yes Web page's origin (scheme (protocol), hostname (domain), and port) where user's browser accesses TARA service from. Web eID browser component embeds web page's origin into authentication token signature and this configuration value must be identical, otherwise signature validation fails. Example: https://example.com

Table 1.5.2 - Assigning the Level of assurance to authentication method

Parameter Mandatory Description, example
tara.auth-methods.id-card.level-of-assurance Yes Level of assurance of this auth method. Allowed values: HIGH, SUBSTANTIAL, LOW.

Table 1.5.3 - Configuring truststore for OCSP responder certificates

Parameter Mandatory Description, example
tara.auth-methods.id-card.truststore-path Yes Path to truststore file. Example file:src/test/resources/idcard-truststore-test.p12
tara.auth-methods.id-card.truststore-type Yes Type of the truststore from truststore-path. Example PKCS12
tara.auth-methods.id-card.truststore-password Yes Password of the truststore from truststore-path. Example changeit

Table 1.5.4 - Explicit configuration of the OCSP service(s)

The webapp allows multiple sets of OCSP configurations to be defined by using the tara.auth-methods.id-card.ocsp[{index}] notation.

Each OCSP configuration can contain the following set of properties:

Parameter Mandatory Description, example
tara.auth-methods.id-card.ocsp[0].issuer-cn Yes Required issuer CN. Example TEST of ESTEID-SK 2015
tara.auth-methods.id-card.ocsp[0].url Yes Ocsp url. Example http://aia.demo.sk.ee/esteid2018
tara.auth-methods.id-card.ocsp[0].nonce-disabled No Determines whether the Ocsp nonce extension is enabled. When enabled a random nonce is sent with the OCSP request and verified in response. Default false
tara.auth-methods.id-card.ocsp[0].accepted-clock-skew-in-seconds No Max clock skew when checking Ocsp response age. Default 2
tara.auth-methods.id-card.ocsp[0].response-lifetime-in-seconds No Max allowed age of the Ocsp response (age is calculated using thisUpdate field int the OCSP response). Default 900
tara.auth-methods.id-card.ocsp[0].connect-timeout-in-milliseconds No Max connect timeout for OCSP request. Default 3000
tara.auth-methods.id-card.ocsp[0].read-timeout-in-milliseconds No Max read timeout for OCSP request. Default 3000
tara.auth-methods.id-card.ocsp[0].responder-certificate-cn No Required responder certificate CN. Example TEST of SK OCSP RESPONDER 2020

NB! A default configuration is used when a user certificate is encountered by a trusted issuer, that has no matching OCSP configuration by the issuer's CN and the user certificate contains the AIA OCSP URL (the configuration will use the default values of the properties listed in Table 4)

Example 1: using SK AIA OCSP only (a non-commercial, best-effort service):

tara:
  auth-methods:
    id-card:
      enabled: true
      level-of-assurance: HIGH
      site-origin: https://example.com
      truststore-path: file:src/test/resources/idcard-truststore-test.p12
      truststore-type: PKCS12
      truststore-password: changeit
      ocsp:
        - issuer-cn: TEST of ESTEID-SK 2015        
          url: https://localhost:9877/esteid2015
          nonce-disabled: true
          connect-timeout-in-milliseconds: 500

        - issuer-cn: TEST of ESTEID2018
          url: http://aia.demo.sk.ee/esteid2018

Example 2: using SK's commercial OCSP only (with subscription only):

tara:
  auth-methods:
    id-card:
      enabled: true
      level-of-assurance: HIGH
      site-origin: https://example.com
      truststore-path: file:src/test/resources/idcard-truststore-test.p12
      truststore-type: PKCS12
      truststore-password: changeit
      ocsp:
        - issuer-cn: ESTEID-SK 2015, ESTEID2018
          url: http://ocsp.sk.ee/          
          responder-certificate-cn: SK OCSP RESPONDER 2015       

Table 1.5.5 - Configuring fallback OCSP service(s)

When the primary OCSP service is not available (ie returns other than HTTP 200 status code, an invalid response Content-Type or the connection times out) a fallback OCSP connection(s) can be configured to query for the certificate status.

In case of multiple fallback configurations per issuer, the execution order is determined by the order of definition in the configuration.

The following properties can be used to configure a fallback OCSP service:

Parameter Mandatory Description, example
tara.auth-methods.id-card.fallback-ocsp[{index}].issuer-cn Yes A comma separated list of certificate issuer CN's. Determines the issuer(s) this fallback configuration will be applied to. Note that the certificate by CN must be present in the truststore (tara.auth-methods.id-card.truststore-path)
tara.auth-methods.id-card.fallback-ocsp[{index}].url Yes HTTP URL of the OCSP service.
tara.auth-methods.id-card.fallback-ocsp[{index}].responder-certificate-cn No Explicit OCSP response signing certificate CN. If not provided, OCSP reponse signer certificate is expected to be issued from the same chain as user-certificate. Note that the certificate referenced by CN must be present in the truststore (tara.auth-methods.id-card.truststore-path)
tara.auth-methods.id-card.fallback-ocsp[{index}].nonce-disabled No Boolean value, that determines whether the nonce extension usage is disabled. Defaults to false if not specified.
tara.auth-methods.id-card.fallback-ocsp[{index}].accepted-clock-skew-in-seconds No Maximum accepted time difference in seconds between OCSP provider and TARA-Server. Defaults to 2, if not specified.
tara.auth-methods.id-card.fallback-ocsp[{index}].response-lifetime-inseconds No Maximum accepted age of an OCSP response in seconds. Defaults to 900 if not specified.
tara.auth-methods.id-card.fallback-ocsp[{index}].connect-timeout-in-milliseconds No Connection timeout in milliseconds. Defaults to 3000, if not specified.
tara.auth-methods.id-card.fallback-ocsp[{index}].read-timeout-in-milliseconds No Connection read timeout in milliseconds. Defaults to 3000 if not specified.

Example: AIA OCSP by default using a static backup OCSP

tara:
  auth-methods:
    id-card:
      enabled: true
      level-of-assurance: HIGH
      site-origin: https://example.com
      truststore-path: file:src/test/resources/idcard-truststore-test.p12
      truststore-type: PKCS12
      truststore-password: changeit
      ocsp:
        - issuer-cn: TEST of ESTEID-SK 2015        
          url: https://aia.demo.sk.ee/esteid2015
          nonce-disabled: true
          connect-timeout-in-milliseconds: 500
        - issuer-cn: ESTEID-SK 2015
          url: http://aia.demo.sk.ee/esteid2015
          nonce-disabled: true
          responder-certificate-cn: TEST of KLASS3-SK 2010

        - issuer-cn: TEST of ESTEID2018
          url: http://aia.demo.sk.ee/esteid2018
        - issuer-cn: ESTEID2018
          url: http://aia.demo.sk.ee/esteid2018
          responder-certificate-cn: TEST of KLASS3-SK 2010
          
      fallback-ocsp:
        - issuer-cn: TEST of ESTEID-SK 2015, TEST of ESTEID2018, ESTEID-SK 2015, ESTEID2018
          url: http://ocsp.sk.ee/          
          responder-certificate-cn: SK OCSP RESPONDER 2015  

1.6 Eidas auth method

Table 1.6.1 - Enabling Eidas authentication

Parameter Mandatory Description, example
tara.auth-methods.eidas.enabled No Enable or disable Eidas authentication method. Default false

Table 1.6.2 - Assignig the Level of assurance to authentication method

Parameter Mandatory Description, example
tara.auth-methods.eidas.client-url Yes Eidas client url. Example. https://eidas-client:8889
tara.auth-methods.eidas.refresh-countries-interval-in-milliseconds No How often allowed countries are requested from Eidas client. Default. 300000
tara.auth-methods.eidas.request-timeout-in-seconds No Eidas client request timeout. Default. 3
tara.auth-methods.eidas.read-timeout-in-seconds No Eidas client read timeout. Default. 3
tara.auth-methods.eidas.max-connections-total No Max connection pool size for eidas client requests. Defaults to 50
tara.auth-methods.eidas.relay-state-cache-duration-in-seconds No Eidas client read timeout. Default. 30
tara.auth-methods.eidas.script-hash No hash to allow inline javascript for eidas redirect. Default. sha256-8lDeP0UDwCO6/RhblgeH/ctdBzjVpJxrXizsnIk3cEQ=

1.7 Legal person attributes

Table 1.7.1 - Enabling legal-person attribute support

Parameter Mandatory Description, example
tara.legal-person-authentication.enabled No Enables or disables the legalperson attribute support and endpoints. Defaults to true if not specified.

Table 1.7.2 - Integration with the Estonian business registry

Parameter Mandatory Description, example
tara.legal-person-authentication.x-road-server-url Yes X-Road security request URL. Example https://localhost:9877/cgi-bin/consumer_proxy
tara.legal-person-authentication.x-road-service-member-class Yes X-Road service member class. Example GOV
tara.legal-person-authentication.x-road-service-instance Yes X-Road service instance. Example ee-dev
tara.legal-person-authentication.x-road-service-member-code Yes X-Road service member code. Example 70000310
tara.legal-person-authentication.x-road-service-subsystem-code Yes X-Road service subsystem code. Example arireg
tara.legal-person-authentication.x-road-client-member-class Yes X-Road client member class. Example GOV
tara.legal-person-authentication.x-road-client-instance Yes X-Road client instance. Example ee-dev
tara.legal-person-authentication.x-road-client-member-code Yes X-Road client member code. Example 70006317
tara.legal-person-authentication.x-road-client-subsystem-code Yes X-Road client subsystem code. Example idp
tara.legal-person-authentication.x-road-server-read-timeout-in-milliseconds No X-Road security server response read timeout in milliseconds. Defaults to 3000 if not specified.
tara.legal-person-authentication.x-road-server-connect-timeout-in-milliseconds No X-Road security server connect timeout in milliseconds. Defaults to 3000 if not specified.
tara.legal-person-authentication.esindus-v2-allowed-types No List of legal person types in arireg.esindus_v2 service response that are considered valid for authentication. Defaults to TÜ,UÜ, OÜ,AS,TÜH,SA,MTÜ if not specified.

1.8 Monitoring

The webapp uses Spring Boot Actuator to enable endpoints for monitoring support. To customize Monitoring, Metrics, Auditing, and more see Spring Boot Actuator documentation.

Parameter Mandatory Description, example
management.endpoints.web.base-path No Base path of heartbeat endpoint. Default /
management.endpoints.web.exposure.exclude No Endpoint IDs that should be excluded or * for all. Example heartbeat Default *
management.endpoints.web.exposure.include No Endpoint IDs that should be included or * for all. Example heartbeat

1.8.1 Custom application health endpoint configuration

The webapp implements custom health endpoint with id heartbeat and custom health indicators with id's oidcServer, truststore. This endpoint is disabled by default.

Request:

curl -X GET https://localhost:8443/heartbeat

Response:

{
	"currentTime": "2021-01-21T11:32:48.955620Z",
	"upTime": "PT11M45S",
	"buildTime": "2021-01-21T11:19:12.785Z",
	"name": "tara-login-server",
	"startTime": "2021-01-21T11:21:03.568Z",
	"commitId": "11111cd7b41f111111dfa93ba2f2cf16b55fef4c",
	"version": "1.0.0-SNAPSHOT",
	"commitBranch": "develop",
	"status": "UP",
	"dependencies": [
	    {
			"name": "ignite",
			"status": "UP"
		},
		{
			"name": "oidcServer",
			"status": "UP"
		},
		{
			"name": "truststore",
			"status": "UP"
		}
	]
}

This endpoint is turned off by default. Here is the minimum required configuration to turn it on:

management:
  endpoints:
    web:
      exposure:
        exclude: ""
        include: "heartbeat"

1.9 Security and session management

1.9.1 Ignite configuration

Ignite is used for storing user’s session information.

Map name Description
spring:session:sessions Session cache. Holds users' session information. Default configuration: cacheMode:PARTITIONED, atomicityMode:ATOMIC, backups:0, expiry: 300s
Parameter Mandatory Description, example
spring.session.timeout No Session timeout. If a duration suffix is not specified, seconds will be used. Default value 300s
ignite.ignite-instance-name No Ignite instance name. Default value tara-ignite
ignite.discovery-spi.ip-finder.addresses Yes Ignite cluster node discovery addresses. Should minimally contain local node ip address. Example value ['192.168.1.1','192.168.1.2']
ignite.ssl-context-factory.key-store-type Yes Ignite key store type. Example value PKCS12
ignite.ssl-context-factory.key-store-file-path Yes Ignite key store path. Example value /test/resources/tls-keystore.p12
ignite.ssl-context-factory.key-store-password Yes Ignite key store password.
ignite.ssl-context-factory.trust-store-type Yes Ignite trust store type. Example value PKCS12
ignite.ssl-context-factory.trust-store-file-path Yes Ignite trust store path. Example value /test/resources/tls-truststore.p12
ignite.ssl-context-factory.trust-store-password Yes Ignite trust store password.
ignite.ssl-context-factory.protocol No Default protocol* (see the list of supported values). Defaults to TLS if not specified
ignite.ssl-context-factory.protocols No List of enabled protocols* (see the list of standard names for protocols). Defaults to JVM specific configuration if not specified
ignite.ssl-context-factory.cipher-suites No List of enabled cipher suites (see the list of standard names for cipher suites). Defaults to JVM specific configuration if not specified

* For Ignite 2.10.0 and older, TLSv1.3 is not supported.

1.10 Security and Session management

Parameter Mandatory Description, example
spring.session.timeout No Session timeout. If a duration suffix is not specified, seconds will be used. Default value 300s
tara.content-security-policy No Content security policy. Default value connect-src 'self'; default-src 'none'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self'; base-uri 'none'; frame-ancestors 'none'; block-all-mixed-content

1.11 Logging configuration

Parameter Mandatory Description, example
tara.masked_field_names No Comma separated field names to mask when structurally logging objects. Default value session_id
Environment variable Mandatory Description, example
LOG_HOME No Log files path. Default value Java IO temp dir (java.io.tmpdir) or /tmp
LOG_FILES_MAX_COUNT No Rolling file appender max files history. Default value 31
LOG_FILE_LEVEL No Log level for file logging. Default value OFF
LOG_CONSOLE_PATTERN No Log files path. Default value %d{yyyy-MM-dd'T'HH:mm:ss.SSS'Z',GMT} [${springAppName}] [%15.15t] %highlight(%-5level) %-40.40logger{39} %green(%marker) [%X{trace.id},%X{transaction.id}] -%X{remoteHost} -%msg%n}
LOG_CONSOLE_LEVEL No Log files path. Default value INFO

Application logs:

${LOG_HOME}/TaraLoginService.%d{yyyy-MM-dd,GMT}.log

Authentication statistics logs:

${LOG_HOME}/TaraLoginServiceStatistics.%d{yyyy-MM-dd,GMT}.log

Statistic logs contain authentication end results with states AUTHENTICATION_SUCCESS, AUTHENTICATION_FAILED or AUTHENTICATION_CANCELED.

1.12 Alerts config

Table 1.12.1 - Alerts service configuration parameters

Parameter Mandatory Description, example
tara.alerts.enabled No Enables alerts update service. Default value false
tara.alerts.host-url Yes Request url used when refreshing alerts list. Example value http://alerts-mock:8080/alerts
tara.alerts.connection-timeout-milliseconds No Connection timeout in milliseconds. Default value 3000
tara.alerts.read-timeout-milliseconds No Read timeout in milliseconds. Default value 3000
tara.alerts.refresh-alerts-interval-in-milliseconds No How often alerts are requested from the configured alerts url. Default. 600000
tara.alerts.alerts-cache-duration-in-seconds No How long alerts request results are kept in cache, in case next refresh fails. Default. 86400

Table 1.12.2 - Static alert configuration parameters

Parameter Mandatory Description, example
tara.alerts.static-alert.message-templates[x].message No Static alert message.
tara.alerts.static-alert.message-templates[x].locale No Static alert message locale. Example value: et

Where x denotes index. Example:

tara.alerts.static-alert.message-templates[0].message=Tegemist on testkeskkonnaga ja autentimiseks vajalik info on <a href="https://e-gov.github.io/TARA-Doku/Testimine#testimine-testnumbrite-ja-id-kaardiga">TARA dokumentatsioonis</a>!
tara.alerts.static-alert.message-templates[0].locale=en
tara.alerts.static-alert.message-templates[1].message=This is a test environment and necessary credentials for testing is available in <a href="https://e-gov.github.io/TARA-Doku/Testimine#testimine-testnumbrite-ja-id-kaardiga">TARA documentation</a>!
tara.alerts.static-alert.message-templates[1].locale=en

APPENDIX

API specification

API description in OpenAPI format can be found here.