Prerequisites:
  • A client application registered with the authorization service.
  • A JWT certificate containing the private key for the registered application.
The JWT(JSON Web Token) bearer grant flow is used to retrieve access tokens without having to pass confidential credentials to an authorization provider. This is accomplished by leveraging independent security domains that have a trust relationship: an identity provider and an authorization server. The identity provider, which can be the client or a third-party service, generates the JWT token from specified credential information. The client can then exchange the JWT token for the access tokens from the authorization server.
To configure the driver to use an authentication flow for a refresh token grant:
  • Configure the minimum options required for a connection:
    • If you are using a Model file, set the REST Config File (RestConfigFile) option to provide the name and location of the Model file. For example, C:/path/to/docusign.rest.
    • If you are using the REST Sample Path method, set the REST Sample Path (RestSamplePath) option to specify the endpoint that you want to connect to and sample. For example, https://example.com/countries/.
  • Set the Authentication Method (AuthenticationMethod) option to 55 (OAuth2-JWT Bearer).
    Note: To support existing configurations, the Authentication Method option will continue to support the 24 (OAuth2) value for the JWT bearer grant flow.
  • Set the Claims Issuer (ClaimsIssuer) option to specify the client ID or consumer key of the authorization server.
  • Set the Claims Subject (ClaimsSubject) option to specify your username.
  • Set the JWT Certification Store (JWTCertStore) option to specify the file path of the certificate store containing the private key used for JWT authentication.
  • If required by your grant flow, set the JWT Certification Password (JWTCertPassword) option to specify the password for the JWT certificate.
  • Optionally, set the JWT Certification Alias (JWTCertAlias) option to specify an alias for the JWT certificate.
  • If required by your grant flow, set the Token URI (TokenURI) option to specify the endpoint used to exchange authentication credentials for access tokens.
    Note: By default, the connector prefixes the token URI endpoint with a GET request method. However, some OAuth implementations require that the token URI endpoint be passed with a POST request method. In this scenario, the token URI endpoint must be prefixed with POST when specifying the value of the TokenURI option. For example: TokenURI=POST https://example.com/oauth2/authorize/.
  • If required by your authentication flow, set the Redirect URI (RedirectURI) option to specify the endpoint that the client is returned to after authenticating with a third-party service. Note that the value of the Redirect URI (RedirectURI) option must include the port number. For example, RedirectURI=http://localhost:80 or RedirectURI=http://localhost:8080.
  • If required by your grant flow, specify values for a custom HTTP header to be used for authentication, such as those used in tenant ID authentication:
    • Set the Authentication Header (AuthHeader) option to specify the name of the HTTP header used for authentication.

    • Set the Security Token (SecurityToken) option to specify the value of the HTTP header named by the Authentication Header option.

    For example, if you have a header value of Authorization:1a2bc34def567, you would specify a values of AuthHeader=Authorization and SecurityToken=1a2bc34def567.

    Note: You can specify multiple custom HTTP headers using the #headers in the Model file. See "Requests with custom HTTP headers" for details.
  • Optionally, set the Scope (Scope) option specify a space-separated list of OAuth scopes to limit the permissions granted by the access token.
The following example demonstrates a simple configuration for DocuSign using a JWT bearer grant. Note that DocuSign requires you to request application consent before using JWT authentication. After providing the following values, you can use the Fetch OAuth Token button on the Configuration Manager to fetch the application consent:
  • Client ID
  • Client secret
  • Auth URI
Refer to the DocuSign documentation for more information and the latest requirements.

Using a connection string:

DRIVER=DataDirect 8.0 Autonomous REST Connector; 
       RestConfigFile=C:/path/to/docusign.rest;AuthenticationMethod=55;
       ClaimsIssuer='1a2b3c4d5e_6f7g8h9g';ClaimsSubject=jsmith@example.com;
       JWTCertStore=jwtcert.jks;JWTCertPassword=secret;
       TokenUri=https://account-d.docusign.com/oauth/token;
       RedirectUri=http://localhost:3000;AuthHeader=response_type;SecurityToken=code;
       Scope=signature impersonation;

Using an odbc.ini file with a 32-bit driver: 

Driver=ODBCHOME/lib/ivautorestxx.so;
Description=My Autonomous REST Data Source
...
AuthenticationMethod=55
...
AuthHeader=response_type
...
ClaimsIssuer='1a2b3c4d5e_6f7g8h9g'
...
ClaimsSubject=jsmith@example.com
...
JWTCertStore=jwtcert.jks
...
RedirectUri=http://localhost:3000
...
RestConfigFile=C:/path/to/docusign.rest
...
TokenUri=https://account-d.docusign.com/oauth/token
...
Scope=signature impersonation
...
SecurityToken=code
...