You can configure DTP to be able to authenticate via JWT Access Token for OAuth 2.0 in addition to the standard login procedure, allowing CAC/PIV card users to open a browser to DTP and authenticate automatically. In the event that authentication via JWT Access Token fails for any reason, the user will be taken to the standard login screen where they can log in with their username and password. To set this up, follow the directions below.

Enabling Authentication via JWT Access Token

To enable authentication via JWT Access Token for OAuth 2.0, add the following JVM argument to the <DTP_INSTALL>/bin/variables file as appropriate for your OS.

Linux

JAVA_CONFIG_ARGS=-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint>

Windows

DTP_JAVA_OPTS=-Dcom.parasoft.oauth2.jwks.uri=<JWKS endpoint>

Configuring Usernames

When enabled, DTP uses mappings defined in the oidc.json file to extract usernames from JWT access tokens. Note that these usernames must also be present in User Administration in order for authentication via JWT to work correctly. Open the oidc.json file located in the <DTP_DATA_DIR>/conf directory to configure usernames. 

Default contents of the oidc.json File
{
"enabled": false,
"issuerUri": "your issuer uri",
"clientId": "your client id",
"clientSecret": "your client secret",
"scopes": ["openid", "profile", "email"],
"claimMappings":
	{ 
		"username": "preferred_username", 
		"firstName": "given_name", 
		"lastName": "family_name", 
		"email": "email" 
	},
"adminUsers": []
}

The default value for the claimMappings > username attribute is preferred_username. Change this value if the username in the JWT access token is mapped to a different element name. The other attributes in this file are ignored when authentication via JWT access token is enabled, so you do not need to set them. Save your changes and restart DTP services after configuring the file.

Using APIs in JWT Token Mode

To access DTP or Enterprise Pack APIs when DTP is in JWT token mode, pass an access token to the API endpoint in the request header using the Authorization header. The token is passed using the following format:

Authorization: Bearer <access token>

Refer to your identity access management software for information on how to obtain an access token.

You must pass the token for every API call, regardless of the method. 

In the following example, a token with the value 1234567890 is passed to the DTP build API endpoint.

curl -X GET -H "Authorization: Bearer 1234567890" http://dtp.host.com/grs/api/v1.7/builds?limit=1000&offset=0
You can also use basic authentication with the REST API. See Using DTP REST APIs for more information.

  • No labels