Calling REST APIs with JWT authentication

Use the following information to call REST APIs with JWT authentication.

Before you begin

Before you start calling REST APIs with JWT authentication, review the following guidelines:
  • The incoming JWT must contain a parameter with the name “alg” in the header, which denotes the algorithm to be used for verifying JWT. Only JWT signed with RSA algorithms: RS256, RS384, and RS512 are supported.
  • The incoming JWT must contain an issuer name in the payload or body with the claim name “iss”.
  • The incoming JWT must contain an expiration time in the payload or body with the claim name “exp”.
  • The incoming JWT must contain a parameter with the name “kid” (key ID) in the header, which denotes the key ID to be used for verification.

About this task

To call REST APIs with JWT authentication.

Procedure

  1. Ensure that the JWT authentication is enabled for REST APIs by setting the value of servlet.jwt.auth.enabled property to true in the customer_overrides.properties file.
  2. The incoming HTTP request for REST API call must contain the request header “Authorization” with scheme “Bearer” followed by JWT.

    The signature of the token and expiration date is verified by the system. If the verification is successful, the claims present in the JWT are used to obtain a valid OMS user, which is used for making the REST API call.

    Authorization:Bearer <Signed JSON Web Token>