Use the following information to call REST APIs with JWT authentication.
Before you begin
Before you start calling REST APIs with JWT authentication, review
the following guidelines:
- The incoming JWT must contain a parameter with the name “alg” in the header, which
denotes the algorithm to be used for verifying JWT. Only JWT signed with RSA algorithms: RS256,
RS384, and RS512 are supported.
- The incoming JWT must contain an issuer name in the payload or body with the claim name
“iss”.
- The incoming JWT must contain an expiration time in the payload or body with the claim name
“exp”.
- The incoming JWT must contain a parameter with the name “kid” (key ID) in the
header, which denotes the key ID to be used for verification.
About this task
To call REST APIs with JWT authentication.
Procedure
- Make sure that the JWT authentication is enabled for REST APIs by setting the value of
servlet.jwt.auth.enabled property to true in the
customer_overrides.properties file. For more information about the property
description and example, see xapirest.properties.
- The incoming HTTP request for REST API call must contain the request header
“Authorization” with scheme “Bearer” followed by JWT.
The signature of the token and expiration date is verified by the system. If the verification is
successful, the claims present in the JWT are used to obtain a valid OMS user, which is used for
making the REST API call.
Authorization:Bearer <Signed JSON Web
Token>