JWT bearer grant

Prerequisites

• A client application registered with the authorization service.
• A JWT certificate containing the private key for the registered application.

The JWT(JSON Web Token) bearer grant flow is used to retrieve access tokens without having to pass confidential credentials to an authorization provider. This is accomplished by leveraging independent security domains that have a trust relationship: an identity provider and an authorization server. The identity provider, which can be the client or a third-party service, generates the JWT token from specified credential information. The client can then exchange the JWT token for the access tokens from the authorization server.

To configure the driver to use a JWT bearer grant flow:

• Configure the minimum properties required for a connection:
  • If you are using a Model file, set the Config property to provide the name and location of the Model file. For example, C:/path/to/docusign.rest.
  • If you are using the Sample property, set the Sample property to specify the endpoint that you want to connect to and sample. For example, https://example.com/countries/.
• Set the AuthenticationMethod property to OAuth2-JWTBearer.
  Note: To support existing configurations, the AuthenticationMethod property will continue to support the OAuth2 value for the JWT bearer grant.
• Set the ClaimsIssuer property to specify the client ID or consumer key of the authorization server.
• Set the ClaimsSubject property to specify your username.
• Set the JWTCertStore property to specify the file path of the certificate store containing the private key used for JWT authentication.
• If required by your grant flow, set the JWTCertPassword property to specify the password for the JWT certificate.
• Optionally, set the JWTCertAlias property to specify an alias for the JWT certificate.
• If required by your grant flow, set the TokenURI property to specify the endpoint used to exchange authentication credentials for access tokens.
• If required by your grant flow, set the RedirectURI to specify the endpoint that the client is returned to after authenticating with a third-party service.
• If required by your grant flow, specify values for a custom HTTP header to be used for authentication, such as those used in tenant ID authentication:
  • Set the AuthHeader property to specify the name of the HTTP header used for authentication.
  • Set the SecurityToken property to specify the value of the HTTP header named by the AuthHeader option.

  For example, if you have the header Authorization:1a2bc34def567, you would specify AuthHeader=Authorization and SecurityToken=1a2bc34def567.

  Note: You can specify multiple custom HTTP headers using the #headers in the Model file. See "Requests with custom HTTP headers" for details.
• If required by your grant flow, set the Scope property to specify a space-separated list of OAuth scopes to limit the permissions granted by the access token.

Using a connection URL:

Connection conn = DriverManager.getConnection
  ("jdbc:datadirect:autorest:Config=C:/path/to/docusign.rest;
      AuthenticationMethod=OAuth2-JWTBearer;ClaimsIssuer=1a2-b3c4-d5e6-f7g8-h9g;
      ClaimsSubject=1ab234cd-ef56-78gh;JWTCertStore=jwtcert.jks;
      JWTCertPassword=secret;TokenUri=https://account-d.docusign.com/oauth/token;
      RedirectUri=http://localhost:3000;AuthHeader=response_type;
      SecurityToken=code;Scope=signature impersonation;");

Using a data source:

AutoRESTDataSource mds = new AutoRESTDataSource();
mds.setDescription("My Autonomous REST Data Source");
mds.setAuthenticationMethod("OAuth2-JWTBearer");
mds.setAuthHeader("response_type");
mds.setClaimsIssuer("1ab234cd-ef56-78gh");
mds.setClaimsSubject("jsmith@example.com");
mds.setConfig("C:/path/to/docusign.rest");
mds.setJWTCertStore("jwtcert.jks");
mds.setRedirectUri("http://localhost:3000");
mds.setTokenUri("https://account-d.docusign.com/oauth/token");
mds.setScope("signature impersonation");
mds.setSecurityToken("code");