Updating code for SSO token propagation

Coding changes are required if you want to pass OAuth/OIDC tokens from your application to an intermediate server which then communicates with the Content Platform Engine server.

About this task

No coding changes are required if you are using the CE API to communicate directly between a client and the Content Platform Engine server. However, you might want to pass OAuth/OIDC tokens from your application to an intermediate server first, for example:
  • IBM® Content Navigator (client) to External share (intermediary) to Content Platform Engine (server)
  • Your application (client) to Content Services GraphQL (intermediary) to Content Platform Engine (server)

In these cases, the front end application, such as IBM Content Navigator, that obtains the OAuth/OIDC token must pass that token on the HTTP Authorization header as a Bearer token for every request that is sent to the downstream application, such as External Share or Content Services GraphQL.

Procedure

To update the code for SSO token propagation:

  1. Propagate an authentication token to another service.
    For non-CEWS requests like IBM Content Navigator to External Share service, an authentication token must be passed to the target service. It is the responsibility of the client application to get the relevant authentication token and put it on the correct HTTP header when making the request to the target service.
    • Propagate an OAuth or OIDC authentication token.
      An OAuth or OIDC token needs to be put on the HTTP Authorization header as a Bearer token, for example: 
      Authorization : Bearer oauth-or-oidc-token-value
    • Propagate an LTPA authentication token.
      An LTPA token needs to be created as a cookie on the HTTP request, for example: 
      Set-Cookie: ltpaToken2=ltpa-token-value
  2. Get the authentication token.
    The CE Java API (such as Jace.jar) provides the AuthToken utility class to get the authentication token using the priority described in Determining which authentication token to send on CEWS request.
    The AuthToken utility class has the following interface:
    
package com.filenet.apiimpl.util;
public class AuthToken {
    public enum TokenType {
        OAUTH_TOKEN,
        OIDC_TOKEN,
        LTPA_TOKEN
    };
    public TokenType getTokenType();
    public String getName();  // returns a name corresponding to TokenType
    public String getValue();  //  returns the token value
    public String getCookieName(); // returns LTPA cookie name
    public String getIssuer();  // Returns issuer of OAuth or OIDC token
           
          public boolean usesHttpAuthHeader();  // Returns true if SSO propagation requires using HTTP Authorization header (i.e. token is OAuth or OIDC)
          public String getHttpAuthHeader();  // Returns the HTTP Authorization header (e.g. Bearer xxxxxx)

          public boolean usesHttpAuthCookie();  // Returns true if SSO propagation requires using HTTP cookie (i.e. token is LTPA)
         public HttpCookie getHttpAuthCookie();  // Returns the HTTP cookie (e.g. ltpaToken2)
}

It should be used as shown in the below code fragments 

        AuthToken authToken = J2EEUtil.getInstance().getAuthTokenFromSubject();
        
        if (authToken != null) {
            if (authToken.usesHttpAuthHeader()) {

                // Add token to HTTP Authorization header
                httpRequest.addHeader(new BasicHeader("Authorization", authToken.getHttpAuthHeader()));

            } else if (authToken.usesHttpAuthCookie()) {

                /* Add token to ltpa cookie */
               HttpCookie cookie = authToken.HttpAuthCookie();
            }
        }