CAC/PIV card users can open a browser to License Server and authenticate automatically via JWT Access Token for OAuth 2.0. To set this up, follow the directions below.

Enabling Authentication via JWT Access Token

To enable authentication via JWT Access Token for OAuth 2.0, follow the directions below appropriate for your distribution.

Self-deployed distribution on Linux

Modify <LSS_INSTALLDIR>/app/setVars.sh by adding the following line:

JAVA_OPTS=-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint>

Self-deployed distribution on Windows

Modify <LSS_INSTALLDIR>/app/setVars.bat by adding the following line:

JAVA_OPTS=-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint>

Web-archive (war) distribution

Add the following to your JVM arguments:

-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint>

Configuring Usernames


When enabled, License Server uses mappings defined in oidc.json to extract usernames from JWT access tokens.Open the oidc.json file located in the <DTP_DATA_DIR>/conf directory to configure usernames. 

Default contents of the oidc.json File
{
"enabled": false,
"issuerUri": "your issuer uri",
"clientId": "your client id",
"clientSecret": "your client secret",
"scopes": ["openid", "profile", "email"],
"claimMappings":
	{ 
		"username": "preferred_username", 
		"firstName": "given_name", 
		"lastName": "family_name", 
		"email": "email" 
	},
"adminUsers": []
}

The default value for the claimMappings > username attribute is preferred_username.  Change this value if the username in the JWT access token is mapped to a different element name. The other attributes in this file are ignored when authentication via JWT access token is enabled, so you do not need to set them.


Save your changes and restart License Server services after configuring the file.

Using APIs in JWT Token Mode


To access License Server or Enterprise Pack APIs when License Server is in JWT token mode, pass an access token to the API endpoint in the request header using the Authorization property. The token is passed using the following format:

Authorization: Bearer <access token>

Refer to your identity access management software for information on how to obtain an access token.

You must pass the token for every API call, regardless of the method. 

  • No labels