JWT Authentication for REST

Question

Question

For a few latest versions, I noticed that Web Applications got some support for JWT Authentication

I managed to find a documentation page that, I suppose described how to configure it.

From this page, I found that I would need to configure JWT Issuer field, so I did

And activate JWT Authentication in the Web Application which uses REST, for testing selected /api/atelier. Documentation mentions next

Once configured for JWT authentication, a REST API gains four endpoints that should not be included in the UrlMap in the dispatch class:

/login — A call to this endpoint using basic HTTP authentication or with valid credentials in the body of the request returns an access token and a refresh token that can be used in subsequent requests.

/logout — A call to this endpoint, if not using Group-By-ID, invalidates the supplied access token and the associated refresh token. If using Group-By-ID, then all sessions with the current By-ID group are invalidated.

/refresh — A call to this endpoint issues a new access and refresh token pair when invoked with a valid refresh token. This invalidates the previous access and refresh token pair.

/revoke — If not using Group-By-ID, this is functionally the same as /logout. If using Group-By-ID, this revokes only the current access and refresh token pair.

To access the /login endpoint and retrieve the access and refresh tokens, make an HTTP POST request without an authentication header and with your credentials in the body in JSON format as below:
{"user": "YOUR USER", "password": "YOUR PASSWORD"}
If the credentials are valid, you receive a response similar to the following:
{
"access_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2ODI3MDc0MTcuNzQ5OTQyLCJleHAiOjE2ODI3MDc0NzcsImlzcyI6IkludGVyU3lzdGVtcyIsInN1YiI6Il9TWVNURU0iLCJzaWQiOiJkWTAxYlJUMGZhQlJybldnQnEyYUZpa1ciLCJhcHAiOiIvYXBpL3R0cmcvIn0.OSxtKf2F6p23wfHKBxnPXvj6cs3fXKWNqc1c0yJ_t0Zpy5cLvLBlRTlufMQIOoNPnQHOHzcN8VWPBzisMoOM-A",
"refresh_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2ODI3MDc0MTcuNzQ5OTQyLCJleHAiOjE2ODI3MDgzMTcsImlzcyI6IkludGVyU3lzdGVtcyIsInNpZCI6ImRZMDFiUlQwZmFCUnJuV2dCcTJhRmlrVyIsImFwcCI6Ii9hcGkvdHRyZy8ifQ.-28BDQsQYtfTbMpCBxmYtbxiT4UNQSeKS7taKkzRk4tYZkE_5V_WMGffNMj-pU3NgtIku506CIcSuXIxGdEJ5Q",
"sub": "YOUR USER",
"iat": 1682707417.749942,
"exp": 1682707477
}

And than I tried to test it

Audit have nothing helpful.

So, what I did wrong? It does not work with my REST too. How to make it working, is it even supposed to be working?

Product version: IRIS 2023.3

$ZV: IRIS for UNIX (Ubuntu Server LTS for ARM64 Containers) 2024.1 (Build 262U) Thu Mar 7 2024 15:38:25 EST

Discussion (2)2

Log in or sign up to continue

score 0 · Answer 1 · 2024-04-01T10:29:38-04:00

I used it with no problem for this application:

https://community.intersystems.com/post/quinielaml-working-jwt-authentic...

The error message talks about a restriction for unauthorized access to %Api.Atelier class, maybe that class override the /login?

score 0 · Answer 2 · 2024-04-01T11:05:28-04:00

Your login request technically is an unauthenticated request, which means it uses the account UnknownUser. Since the web application /api/atelier requires user permission on the %Development resource, the request is failing. You could address this by either removing that restriction from the web app or by assigning the %Developer role to UnknownUser. In my opinion, though, neither of those is really ideal.