You can configure DTP to be able to authenticate via JWT Access Token for OAuth 2.0 in addition to the standard login procedure, allowing CAC/PIV card users to open a browser to DTP and authenticate automatically. In the event that authentication via JWT Access Token fails for any reason, the user will be taken to the standard login screen where they can log in with their username and password. To set this up, follow the directions below.
Table of Contents |
---|
Enabling Authentication via JWT Access Token
To enable authentication via JWT Access Token for OAuth 2.0, add the following JVM argument to the <DTP_INSTALL>/bin/variables
file as appropriate for your OS.
Linux
Code Block | ||
---|---|---|
| ||
JAVA_CONFIG_ARGS=-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint> |
Windows
Code Block | ||
---|---|---|
| ||
DTP_JAVA_OPTS=-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint> |
Configuring Usernames
When enabled, DTP uses mappings defined in the oidc.json file to extract usernames from JWT access tokens. Note that these usernames must also be present in User Administration in order for authentication via JWT to work correctly. Open the oidc.json file located in the <DTP_DATA_DIR>/conf
directory to configure usernames.
Code Block | ||||
---|---|---|---|---|
| ||||
{ "enabled": false, "issuerUri": "your issuer uri", "clientId": "your client id", "clientSecret": "your client secret", "scopes": ["openid", "profile", "email"], "claimMappings": { "username": "preferred_username", "firstName": "given_name", "lastName": "family_name", "email": "email" }, "adminUsers": [] } |
The default value for the claimMappings > username
attribute is preferred_username
. Change this value if the username in the JWT access token is mapped to a different element name. The other attributes in this file are ignored when authentication via JWT access token is enabled, so you do not need to set them. Save your changes and restart DTP services after configuring the file.
Using APIs in JWT Token Mode
To access DTP or Enterprise Pack APIs when DTP is in JWT token mode, pass an access token to the API endpoint in the request header using the Authorization header. The token is passed using the following format:
Authorization: Bearer <access token>
Refer to your identity access management software for information on how to obtain an access token.
You must pass the token for every API call, regardless of the method.
In the following example, a token with the value 1234567890
is passed to the DTP build API endpoint.
Code Block | ||
---|---|---|
| ||
curl -X GET -H "Authorization: Bearer 1234567890" http://dtp.host.com/grs/api/v1.7/builds?limit=1000&offset=0 |