Hi all
Just wondering if anyone has implemented an API endpoint on LC with JWT signed token with a pub/private key. I cannot see it in the UI/guides (OAUTH or bearer only options) and this might be possible using these.
Any input would be really appreciated.
Simon
Morning Simon,
Could you please let me know what Create version you are using?
We’ve recently added OAuth:
Available in 22.3, patch 2022.3.558 and 2023.1.91
Many Thanks
Thanks Adam - Currently on 2022.1 and about to upgrade - will try this again once I am up to 2023.1
S
Hi Adam - I am now on 2023.1 in build but not seeing the OAUTH in Endpoint or Functions to build a Generic REST API solution - are you able to point me to some academy info or help direct.
Solution:
Build a Liberty Create Interface that a LibCreate user can create a selection of data key and value pairs and enable them to be visible on an external REST API. The REST API will need to use JWT authentication and rotation with a third party for them to collect the latest array of data values.
Currently testing on POSTMAN and getting a 403 response.
When set up as a liberty Create API getting good test responses internally but nothing externally.
Have now set up as a Generic API
Hello. I’m not entirely sure I understand what you’re trying to do, but the OAuth settings are on the API Connection page (e.g. Outbound) rather than in Endpoint or Functions (e.g. Inbound).
To be clear, is the Liberty Create application sending the API request, or receiving it?
Hi Scott
The solution is to provide an API interface so would be Receiving a Call from an external application.
Apologies Simon,
Your request came in at the same time as we were adding this feature to the outbound side of Create, as such it appears as though I misunderstood the assignment here.
As it happens we have implemented a custom JWT Auth method using code studio that can be used to validate inbound requests, although it requires multiple components to implement.
We have a custom authentication processor which validates the issuer from a set of known issuers configured in a variable. We download and maintain a copy of the signature from the approved issuers and use it to validate the request. Our script also allows you to limit the claims to within a declared set of values.
We cannot action any of the claims in the request, but if mirrored in the data or header we can ensure they match as part of the validation.
JSON Object containing approved keys and values that must be present and correct within received JWT tokens.
Top Level Key is URL encoded issuer.
Format:
{
"https%3A%2F%2Fsubdomain.domain.tld%2Fauth%2Frealms%2Fmy-realm": {
"active": true,
"claims": {
"aud":["realm-origin"],
"typ": ["Bearer"],
"azp": ["realm-origin"]
},
"key": {
"keys": {
"0": {}
}
}
}
}
This method has been Pen-Tested and is running live elsewhere with no issues.
If this is of interest to you, please let me know and we can arrange a call to discuss.
You will need at least a days consultancy for us to help you implement.
Many thanks Adam