JWT Authentication for REST
For a few latest versions, I noticed that Web Applications got some support for JWT Authentication
.png)
I managed to find a documentation page that, I suppose described how to configure it.
From this page, I found that I would need to configure JWT Issuer field, so I did
.png)
And activate JWT Authentication in the Web Application which uses REST, for testing selected /api/atelier. Documentation mentions next
Once configured for JWT authentication, a REST API gains four endpoints that should not be included in the UrlMap in the dispatch class:
- /login — A call to this endpoint using basic HTTP authentication or with valid credentials in the body of the request returns an access token and a refresh token that can be used in subsequent requests.
- /logout — A call to this endpoint, if not using Group-By-ID, invalidates the supplied access token and the associated refresh token. If using Group-By-ID, then all sessions with the current By-ID group are invalidated.
- /refresh — A call to this endpoint issues a new access and refresh token pair when invoked with a valid refresh token. This invalidates the previous access and refresh token pair.
- /revoke — If not using Group-By-ID, this is functionally the same as /logout. If using Group-By-ID, this revokes only the current access and refresh token pair.
To access the /login endpoint and retrieve the access and refresh tokens, make an HTTP POST request without an authentication header and with your credentials in the body in JSON format as below:
{"user": "YOUR USER", "password": "YOUR PASSWORD"}If the credentials are valid, you receive a response similar to the following:
{ "access_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2ODI3MDc0MTcuNzQ5OTQyLCJleHAiOjE2ODI3MDc0NzcsImlzcyI6IkludGVyU3lzdGVtcyIsInN1YiI6Il9TWVNURU0iLCJzaWQiOiJkWTAxYlJUMGZhQlJybldnQnEyYUZpa1ciLCJhcHAiOiIvYXBpL3R0cmcvIn0.OSxtKf2F6p23wfHKBxnPXvj6cs3fXKWNqc1c0yJ_t0Zpy5cLvLBlRTlufMQIOoNPnQHOHzcN8VWPBzisMoOM-A", "refresh_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2ODI3MDc0MTcuNzQ5OTQyLCJleHAiOjE2ODI3MDgzMTcsImlzcyI6IkludGVyU3lzdGVtcyIsInNpZCI6ImRZMDFiUlQwZmFCUnJuV2dCcTJhRmlrVyIsImFwcCI6Ii9hcGkvdHRyZy8ifQ.-28BDQsQYtfTbMpCBxmYtbxiT4UNQSeKS7taKkzRk4tYZkE_5V_WMGffNMj-pU3NgtIku506CIcSuXIxGdEJ5Q", "sub": "YOUR USER", "iat": 1682707417.749942, "exp": 1682707477 }
And than I tried to test it
.png)
Audit have nothing helpful.
.png)
So, what I did wrong? It does not work with my REST too. How to make it working, is it even supposed to be working?
Comments
I used it with no problem for this application:
https://community.intersystems.com/post/quinielaml-working-jwt-authenti…
The error message talks about a restriction for unauthorized access to %Api.Atelier class, maybe that class override the /login?
Your login request technically is an unauthenticated request, which means it uses the account UnknownUser. Since the web application /api/atelier requires user permission on the %Development resource, the request is failing. You could address this by either removing that restriction from the web app or by assigning the %Developer role to UnknownUser. In my opinion, though, neither of those is really ideal.
This article describes the 401 error as well for JWT: https://community.intersystems.com/post/creating-rest-api-jwt-authentic…