Authorization

Enterprise REST API > Authentication Framework > Overview > Authorization

The standard OAuth 2.0 authorization framework is not directly considered in this implementation.

The identity of the caller is paramount to the authorization of the caller to the service in question.

The Enterprise REST API services will maintain the authorization status of the caller (or type of caller) as appropriate for their system based on the validated JWT sent with the API call.

In certain instances, the tokens for a caller (a service) and the PAK (someone at a user interface) may both be inspected to determine the appropriate actions to be taken.

Unlike OAuth 2.0 access tokens, the OpenID Connect JWT supplied as identity will contain specific information that can be used by a service for authorization even in the case where the service is remote from the initial API endpoint.

Authentication example

jhaOIDCScheme

Token must be an OIDC jwt, e.g. jwt< GeneratedOidcJwt >


Security scheme type:	Open ID Connect
Connect URL:	/api.jhacorp.com/oidc/auth

bearerAuth


Security scheme type:	HTTP
HTTP authorization scheme:	bearer
Bearer format:	“JWT”

Have a Question?

Have a how-to question? Seeing a weird error? Get help on StackOverflow.

Register for the Digital Toolkit Meetup where we answer technical Q&A from the audience.

Last updated Thu Jul 14 2022