Externalize generation of authentication token

You can externalize the generation of the authentication token within the IBM® Sterling™ Order Management System Software by using the implementation of custom logic. Implementing this solution provides Sterling Order Management System Software with the flexibility to customize authentication and enable seamless integration with an external authentication server.

To meet the security standards, Order Service implementations must autonomously generate tokens and validate them internally because Order Service, when deployed on a separate platform, might serve as an external application. The existing version of Sterling Order Management System Software does not acquire tokens from external systems.

In your Order Service implementation, you can include supplementary headers requests to Order Service. The API Gateway intercepts requests to Order Service to run additional actions based on these headers. The existing version of the Sterling Order Management System Software does not retrieve header parameters from external systems and append them to the request that is sent to the Order Service.

User exit implementation

Sterling Order Management System Software provides the com.yantra.ycp.japi.ue.YCPGetExternalAuthenticationTokenUE user exit (UE) in the JWT generation logic. Implement the interface to externalize the JWT token generation for authentication.

Method definition for user exit

The interface includes the following method definition.

public Document getAuthenticationToken(YFSEnvironment env, Document inXML);

Implementers must provide a custom implementation for getAuthenticationToken. In this user exit, you can write the custom logic to retrieve the token and also configure the expiry time of the generated token.

Note: If the user exit is implemented, Sterling Order Management System Software bypasses its current token generation logic and retrieves the token from the output of the user exit. Sterling Order Management System Software does not validate the token that is retrieved from the user exit output.

Sample input and output of user exit

Input

<?xml version="1.0" encoding="UTF-8"?>
<Token Audience="osi" UserGroup="SYSTEM" UserId="OSIApi"/>

Output 1

<Token AuthenticationExpirationTime="100" AuthenticationToken=" goNwcvd3OKxhFNOeUYZlvjlf-L1VaVfqHOklD0kX2UOc3bXgLVA7wxehyogMkMiCjN4EOx2wHFfkRNK7GvjDZsV8GDIE8MgKOi5_aQvJ3_i3GRn_3us3GKg" AuthenticationType="JWT">
    <HeaderAttributes>
        <HeaderAttribute Name="ClientSecret" Value="12kKns2OP"/>
        <HeaderAttribute Name="EndpointURL" Value="https://dev1.token.com/authenticate"/>
    </HeaderAttributes>
</Token>

Output 2

<Token AuthenticationExpirationTime="100">
    <HeaderAttributes>
        <HeaderAttribute Name="ClientSecret" Value="12kKns2OP"/>
        <HeaderAttribute Name="EndpointURL" Value="https://dev1.token.com/authenticate"/>
    </HeaderAttributes>
</Token>

The user exit output provides the flexibility to define header attributes. You can send any valid key-value pairs to your API Gateway in the user exit output. The Sterling Order Management System Software functions as a pass-through. In the sample, attributes such as EndpointURL and SecretKey are transmitted as header attributes. These attributes are then forwarded to the Order Service in the request, which enables an API Gateway at the receiving end to initiate calls to an authentication server by using the provided credentials.

Handling token expiry

Based on the Token/@AuthenticationExpirationTime attribute value from the user exit output, the default expiry time is overridden. A new token is generated only when the elapsed window of the token is greater than the @AuthenticationExpirationTime multiplied by the safety factor for the token. The osi.authentication.expiration.safety.factor property, which has the default value of 0.5, is used to define the safety factor.

Example: If the user exit returns @AuthenticationExpirationTime=100 and osi.authentication.expiration.safety.factor=0.5, the expiry window is calculated as 100×0.5=50. So, a new token is generated every 50 minutes.