Token Server

Some of the endpoints are secured by Bearer Authentication and requires a valid JWT token. In our current setup, the tokens are issued by the Onegini Tenant access-engine.

Token Server configuration

Create a new configuration for static client (ie. Web Clients): 1. Set client_id and client_secret. They will be required in order to obtain a JWT. 2. Select Client credentials as the Grant types 3. Set Access token format to JSON Web Token (JWT) (see Workflow) 4. Add the URI of the External Resource Service as either Audience: Resource gateway or Additional audiences. This URI must match the value of SECURITY_OAUTH2_JWT_AUD property configured within the External Resource Service itself (see Bearer Authentication related properties) 5. Add the scope as either Default Scopes or Additional scopes. This scope must match the value of SECURITY_OAUTH2_JWT_SCOPE property configured within the External Resource Service itself (see Bearer Authentication related properties) 6. Configure remaining options according to you needs

Note: only RS256, RS384 and RS512 are supported for the signature verification.

Workflow

In order to obtain a JWT that serves as an access token required for Bearer Authentication use Client Credentials flow. See Oauth2 specification for further details.

Alternatively use Client Credentials from in the Token Server Test Client.

Development

For convenience, the Onegini tenant access-engine is already configured: - web client name: ers-backend-instance-creation - client id: ers-backend-instance-creation - client secret: <see 1Password for ers-backend-instance-creation> - scope: css_configuration

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search