You can configure DTP to be able to authenticate via JWT Access Token for OAuth 2.0 in addition to the standard login procedure, allowing CAC/PIV card users to open a browser to DTP and authenticate automatically. In the event that authentication via JWT Access Token fails for any reason, the user will be taken to the standard login screen where they can log in with their username and password.You can configure License Server to be able to authenticate via JWT Access Token for OAuth 2.0 in addition to the standard login procedure, allowing CAC/PIV card users to open a browser to License Server and authenticate automatically. In the event that authentication via JWT Access Token fails for any reason, the user will be taken to the standard login screen where they can log in with their username and password. To set this up, follow the directions below.
Enabling Authentication via JWT Access Token
To enable authentication via JWT Access Token for OAuth 2.0, add the following JVM argument to the <DTP_INSTALLDIR>/bin/variables file as appropriate for your OS.
Linux
JAVA_CONFIG_ARGS=-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint>
Windows
DTP_JAVA_OPTS=-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint>
To enable authentication via JWT Access Token for OAuth 2.0, follow the directions below appropriate for your distribution.
Self-deployed distribution on Linux
Modify <LSS_INSTALLDIR>/app/setVars.sh by adding the following line:
JAVA_OPTS=-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint>
Self-deployed distribution on Windows
Modify <LSS_INSTALLDIR>/app/setVars.bat by adding the following line:
JAVA_OPTS=-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint>
Web-archive (war) distribution
Add the following to your JVM arguments:
-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint>
Configuring Usernames
When enabled, DTP uses mappings defined in oidc.json to extract usernames from JWT access tokens. Note that these usernames must also be present in User Administration in order for authentication via JWT to work correctly.When enabled, License Server uses mappings defined in oidc.json to extract usernames from JWT access tokens. Note that these usernames must also be present in User Administration in order for authentication via JWT to work correctly. Open the oidc.json file located in the <DTP_DATA_DIR>/conf directory to configure usernames.
{
"enabled": false,
"issuerUri": "your issuer uri",
"clientId": "your client id",
"clientSecret": "your client secret",
"scopes": ["openid", "profile", "email"],
"claimMappings":
{
"username": "preferred_username",
"firstName": "given_name",
"lastName": "family_name",
"email": "email"
},
"adminUsers": []
}
The default value for the claimMappings > username attribute is preferred_username. Change this value if the username in the JWT access token is mapped to a different element name. The other attributes in this file are ignored when authentication via JWT access token is enabled, so you do not need to set them. Save your changes and restart DTP services after configuring the file.Save your changes and restart License Server services after configuring the file.
Using APIs in JWT Token Mode
To access DTP or Enterprise Pack APIs when DTP is in JWT token mode, pass an access token to the API endpoint in the request header using the Authorization header. To access License Server or Enterprise Pack APIs when License Server is in JWT token mode, pass an access token to the API endpoint in the request header using the Authorization header. The token is passed using the following format:
Authorization: Bearer <access token>
Refer to your identity access management software for information on how to obtain an access token.
You must pass the token for every API call, regardless of the method.
In the following example, a token with the value "1234567890" is passed to the DTP build API endpoint.
curl -X GET -H "Authorization: Bearer 1234567890" http://dtp.host.com/grs/api/v1.7/builds?limit=1000&offset=0
You can also use basic authentication with the REST API. See Using DTP REST APIs for more information.
