In this 3-part series of articles, is shown how you can use IAM to simply add security, according to OAuth 2.0 standards, to a previously unauthenticated service deployed in IRIS. In the [first part](https://community.intersystems.com/post/securing-your-apis-oauth-20-intersystems-api-management-%E2%80%93-part-1), was provided some OAuth 2.0 background together with some IRIS and IAM initial definitions and configurations in order to facilitate the understanding of the whole process of securing your services. This part will now discuss and show in detail the steps needed to configure IAM to validate the access token present in the incoming request and forward the request to the backend if the validation succeeds. The [last part](https://community.intersystems.com/post/securing-your-apis-oauth-20-intersystems-api-management-%E2%80%93-part-3) of this series will discuss and demonstrate the configurations needed to IAM generate an access token (acting as an authorization server) and validate it, together with some important final considerations. If you want to try IAM, please contact your InterSystems Sales Representative.

Scenario 1: IAM as an access token validator

In this scenario, it will be used an external authorization server that generates an access token in a JWT (JSON Web Token) format. This JWT is signed using the algorithm RS256 together with a private key. In order to verify the JWT signature, the other party (in this case IAM) needs to have the public key, provided by the authorization server. This JWT generated by the external authorization server also includes, in its body, a claim called “exp” containing the timestamp of when this token expires, and another claim called “iss” containing the address of the authorization server. Therefore, IAM needs to verify the JWT signature with the authorization server’s public key and the expiration timestamp contained in the “exp” claim inside the JWT before forwarding the request to IRIS. In order to configure that in IAM, let’s start by adding a plugin called “JWT” to our “SampleIRISService” in IAM. To do so, go to the Services page in IAM and copy the id of the “SampleIRISService”, we are going to use that later.

After that, go to Plugins, click the “New Plugin” button, locate the “JWT” plugin and click Enable.

<rect filled="f" id="Retângulo_x0020_9" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI +gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5 8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAj5XokcwCAAB1BgAA HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWysVd1O2zAUvp+0d7B8D01CM2hFQF23 okkIUAPi2jhOE82xM9sN6R5nr7IX2/FP2oghJm3rRWv7fOfzd/7c88u+4ahjStdSZDg+jjBigsqi FpsMP9yvjs4w0oaIgnApWIZ3TOPLi/fvzsl8o0hb1RQBg9BzkuHKmHY+mWhasYboY9kyAbZSqoYY 2KrNpFDkGZgbPkmi6MOkIbXAFweqT8QQtFX1X1BxSb+yYklERzRQcjofnwSNnP47M5mL7kq1eXun rHJ6090pVBcZhswJ0kCK8CQYAgy2kxdemwNBX6rG4mVZoj7DaXqSxAlw7TKcnE6T9EPq+VhvEAVA HCez6AQA1CLSdBYFAK1u/0BBq89vk4BMLwcWI4m6tQJF93vMsyHmNTM/f4jNlks028dv8UPwg68O eftPYe8Vk3mrtLliskF2kWHFqHG9RbprbbyMAeLCkauac1cqLtAz5PIsPU2dh5a8LqzV4rTaPC25 Qh3hGV6tIvjYAOHiEQx2XPjDEJ/pc5c103+Uxc4SPcEvtIqSIA7Kp1u6qkHpNdHmjigYHziEQTS3 8FVyCYpkWGFUSfX9tXOLh5YGK0bPMI4Z1t+2RDGM+BehMzyLp1OgNW4zTU9tY6mx5WlsEdtmKSHK 2KlzS4s3fFiWSjaPUhULeyuYiKBwd4apUcNmaWAPJph6yhYLt6ayaYm5FnkL8xe7FNtK3PePRLWh XAb6+0bmFWnZa1XzWF+3xdbIsg4l9Vm1Bq5NbnacuZK63DNR2MyuIeuc2PeMiaOHPFQPEFC1Q3m2 muXtGprGF3eon7aUjl6sWQmDDiOY+C6xzxzbtwahlAnjo9MVKZjvmHTcMIOHu5pbQstcQqftuQPB gPQkA7eXFvDWlZUlKN47R28J8857D3ezFAfnphZSvUbAIapws8f7RveJsXNgU/niwXWQ8AdhX/Xx /uIXAAAA//8DAFBLAwQUAAYACAAAACEAkn2H4B0HAABJIAAAGgAAAGNsaXBib2FyZC90aGVtZS90 aGVtZTEueG1s7FlLbxs3EL4X6H9Y7L2xZL1iI3JgyXLcxC9ESoocKYnaZcxdLkjKjm5FcuqlQIG0 6KEBeuuhKBqgARr00h9jwEGb/ogOuS9SouIHXCAobAHG7uw3w+HM7Mzs8M7dZxH1jjEXhMVtv3qr 4ns4HrExiYO2/2iw/dlt3xMSxWNEWYzb/gwL/+7Gp5/cQesjSpIhQ3w8CHGEPRAUi3XU9kMpk/WV FTECMhK3WIJjeDZhPEISbnmwMuboBBaI6MpqpdJciRCJ/Q2QKJWgHoV/sRSKMKK8r8RgL0YRrH4w mZAR1tjxUVUhxEx0KfeOEW37IHPMTgb4mfQ9ioSEB22/ov/8lY07K2g9Y6JyCa/Bt63/Mr6MYXy0 qtfkwbBYtF5v1JubhXwNoHIR12v1mr1mIU8D0GgEO011sWW2Vrv1DGuA0kuH7K3WVq1q4Q35tQWd NxvqZ+E1KJVfX8Bvb3fBihZeg1J8YwHf6Kx1tmz5GpTimwv4VmVzq96y5GtQSEl8tICuNJq1br7b AjJhdMcJX2vUt1urmfASBdFQRJdaYsJiuSzWIvSU8W0AKCBFksSenCV4gkYQk11EyZATb5cEIQRe gmImgFxZrWxXavBf/er6SnsUrWNkcCu9QBOxQFL6eGLESSLb/n2Q6huQs7dvT5+/OX3+++mLF6fP f83W1qIsvh0UBybf+5+++efVl97fv/34/uW36dLzeGHi3/3y1bs//vyQeNhxaYqz716/e/P67Puv //r5pUP6JkdDEz4gERbePj7xHrIINujQHw/55TgGISImx2YcCBQjtYpDfk+GFnp/hihy4DrYtuNj DqnGBbw3fWop3A/5VBKHxAdhZAH3GKMdxp1WeKDWMsw8mMaBe3E+NXEPETp2rd1FseXl3jSBHEtc IrshttQ8pCiWKMAxlp56xo4wduzuCSGWXffIiDPBJtJ7QrwOIk6TDMjQiqaSaYdE4JeZS0Hwt2Wb vcdeh1HXrrfwsY2EdwNRh/IDTC0z3kNTiSKXyAGKqGnwXSRDl5L9GR+ZuJ6Q4OkAU+b1xlgIF88B h/0aTn8Aacbt9j06i2wkl+TIJXMXMWYit9hRN0RR4sL2SRya2M/FEYQo8g6ZdMH3mP2GqHvwA4qX uvsxwZa7z88GjyDDmiqVAaKeTLnDl/cws+K3P6MThF2pZpNHVord5MQZHZ1pYIX2LsYUnaAxxt6j zx0adFhi2bxU+n4IWWUHuwLrPrJjVd3HWGBPNzeLeXKXCCtk+zhgS/TZm80lnhmKI8SXSd4Hr5s2 70Gpi1wBcEBHRyZwn0C/B/HiNMqBABlGcC+Vehgiq4Cpe+GO1xm3/HeRdwzey6eWGhd4L4EHX5oH ErvJ80HbDBC1FigDZoCgy3ClW2Cx3F+yqOKq2aZOvon90pZugO7IanoiEp/bAc31Po3/rveBDuPs h1eOl+16+h23YCtZXbLTWZZMdub6m2W4+a6my/iYfPxNzRaaxocY6shixrrpaW56Gv9/39Mse59v Opll/cZNJ+NDh3HTyWTDlevpZMrmBfoaNfBIBz167BMtnfpMCKV9OaN4V+jBj4DvmfE2EBWfnm7i YgqYhHCpyhwsYOECjjSPx5n8gsiwH6IEpkNVXwkJRCY6EF7CBAyNNNkpW+HpNNpj43TYWa2qwWZa WQWSJb3SKOgwqJIputkqB3iFeK1toAetuQKK9zJKGIvZStQcSrRyojKSHuuC0RxK6J1dixZrDi1u K/G5qxa0ANUKr8AHtwef6W2/UQcWYIJ5HDTnY+Wn1NW5d7Uzr9PTy4xpRQA02HkElJ5eU7ou3Z7a XRpqF/C0pYQRbrYS2jK6wRMhfAZn0amoF1Hjsr5eK11qqadModeD0CrVaN3+kBZX9TXwzecGGpuZ gsbeSdtv1hoQMiOUtP0JDI3hMkogdoT65kI0gOOWkeTpC3+VzJJwIbeQCFOD66STZoOISMw9SqK2 r7ZfuIHGOodo3aqrkBA+WuXWIK18bMqB020n48kEj6TpdoOiLJ3eQoZPc4XzqWa/Olhxsim4ux+O T7whnfKHCEKs0aoqA46JgLODamrNMYHDsCKRlfE3V5iytGueRukYSumIJiHKKoqZzFO4TuWFOvqu sIFxl+0ZDGqYJCuEw0AVWNOoVjUtqkaqw9Kqez6TspyRNMuaaWUVVTXdWcxaIS8Dc7a8WpE3tMpN DDnNrPBp6p5PuWt5rpvrE4oqAQYv7OeouhcoCIZq5WKWakrjxTSscnZGtWtHvsFzVLtIkTCyfjMX O2e3okY4lwPilSo/8M1HLZAmeV+pLe062N5DiTcMqm0fDpdhOPgMruB42gfaqqKtKhpcwZkzlIv0 oLjtZxc5BZ6nlAJTyym1HFPPKfWc0sgpjZzSzClN39MnqnCKrw5TfS8/MIUalh2wZr2Fffq/8S8A AAD//wMAUEsDBBQABgAIAAAAIQCcZkZBuwAAACQBAAAqAAAAY2xpcGJvYXJkL2RyYXdpbmdzL19y ZWxzL2RyYXdpbmcxLnhtbC5yZWxzhI/NCsIwEITvgu8Q9m7SehCRJr2I0KvUBwjJNi02PyRR7Nsb 6EVB8LIws+w3s037sjN5YkyTdxxqWgFBp7yenOFw6y+7I5CUpdNy9g45LJigFdtNc8VZ5nKUxikk UigucRhzDifGkhrRykR9QFc2g49W5iKjYUGquzTI9lV1YPGTAeKLSTrNIXa6BtIvoST/Z/thmBSe vXpYdPlHBMulFxagjAYzB0pXZ501LV2BiYZ9/SbeAAAA//8DAFBLAQItABQABgAIAAAAIQC75UiU BQEAAB4CAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgA AAAhAK0wP/HBAAAAMgEAAAsAAAAAAAAAAAAAAAAANgEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgA AAAhAI+V6JHMAgAAdQYAAB8AAAAAAAAAAAAAAAAAIAIAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3 aW5nMS54bWxQSwECLQAUAAYACAAAACEAkn2H4B0HAABJIAAAGgAAAAAAAAAAAAAAAAApBQAAY2xp cGJvYXJkL3RoZW1lL3RoZW1lMS54bWxQSwECLQAUAAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAAAA AAAAAAAAAAB+DAAAY2xpcGJvYXJkL2RyYXdpbmdzL19yZWxzL2RyYXdpbmcxLnhtbC5yZWxzUEsF BgAAAAAFAAUAZwEAAIENAAAAAA== " strokecolor="red" strokeweight="2.25pt" style="position:absolute; margin-left:484px; margin-top:191px; width:88.9pt; height:20.2pt; z-index:251659264; v-text-anchor:middle"></rect>

In the following page, paste the “SampleIRISService” id in the “service\_id” field and select the box “exp” in the “config.claims\_to_verify” parameter.


Note the value of the parameter “config.key\_claim\_name” is “iss”. We are going to use that later. Then, hit the “Create” button. Done that, go to the “Consumers” section in the left menu and click in our previously created “ClientApp”. Go to the “Credentials” tab and click the button “New JWT Credential”.

In the following page, select the algorithm used to sign the JWT (in this case RS256) and paste the public key in the field “rsa\_public\_key” (this is the public key provided to you by the authorization server in PEM format). In the “key” field, you need to insert the contents of the JWT claim that you entered in the field “config.key\_claim\_name” when adding the JWT plugin. Therefore, in this case, I need to insert the content of the iss claim of my JWT, which, in my case, is the address of the authorization server.

After that, click on “Create” button.
Hint: For debugging purposes, there is an online tool to decode JWT so you can check the claims and its values and verify its signature by pasting the public key. Here is the link of this online tool: https://jwt.io/#debugger
Now, with the JWT plugin added, it is no longer possible to send the request with no authentication. As you can see below, a simple GET request, with no authentication, to the URL **http://iamhost:8000/event/1** return an unauthorized message together with the status code “401 Unauthorized”.

In order to get the results from IRIS, we need to add the JWT to the request. Therefore, first we need to request the JWT to the authorization server. The custom authorization server that we are using here, returns a JWT if a POST request is made together with some key-value pairs in the body, including user and client information, to the following URL: **https://authorizationserver:5001/auth** Here is what this request and its response looks like:

Then, you can add the JWT obtained from the response below in the authorization header as a Bearer Token and send a GET request to the same URL previously used: **http://iamhost:8000/event/1**

Or you can also add it as a querystring parameter, with the querystring key being the value specified in the field “config.uri\_param\_names” when adding the JWT plugin which, in this case, is “jwt”:

Finally, there is also the option to include JWT in the request as a cookie, if any name is entered in the field “config.cookie_names”. Continue reading to the third and last part of this series to understand the configurations needed to IAM generate an access token and validate it, together with some important final considerations.