Need help with JWT based Auth

I’m working on a Web Services Connector where the API uses JWT authentication. In Bruno I have written a JS script to generate the assertion and I’m using that assertion in the token URL request to obtain the access token.

In the token request body, I’m passing the client ID, client secret, grant_type, and the assertion.

Has anyone implemented this using a Before Operation Rule in ISC? If yes, could you please share a reference or example? or Is it possible to achieve this using the OAuth2.0 JWT bearer grant type

Thanks.

Hi @sandy_sandy

This shouldn’t require a before operation rule. It sounds like it should just follow the standard client credentials flow, have you tried that? Worst case, you can use the Custom Authentication operation type and accomplish this pretty easily.

Can you show us your sample Bruno flow so I can see exactly what you’re passing into the token endpoint and getting back? Please redact any sensitive details.

Hi @trettkowski ,

below is my Bruno configuration to get the access token

Hi @sandy_sandy

Webservice Connector (VA based or SaaS) already support OAuth 2.0 Authentication with Grant type : JWT Bearer Token

Have you tested that ?

There are fields for private key, JWT payload,Client Id… that you can configure directly from the UI.

ISC already know the standard process of JWT Bearer Token flow, so it will automatically perform all steps based on your configuration :

  • Sign your JWT payload with your private key (to obtain the assertion)
  • And use the configured token url, client id, and client secret to obtain the access token.
  • The grant type “urn:ietf:params:oauth:grant-type:jwt-bearer” also is automatically added, you don’t need to specify it.

Hi @baoussounda ,

Thanks for the reply.

I have a few questions regarding JWT Bearer Token authentication.

I tried using the JWT Bearer Token option in my Web Services SaaS Connector. When I tested it , I received the error shown below during the test connection.

And for the VA based connector, I see that the private key password field is a mandatory field. I don’t have a private key password but the private key

@sandy_sandy can you try to add a dummy value in passphrase field like : none

When Loading the private key, the system should detect if it is encrypted or not. In your case as it is not encrypted, the passphrase will may be ignored.

Thanks

If he still doesnt work, I have seen another post : OAuth verification for JWT Payload - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community where @tyler_mairose suggest a rule that can be used as before operation rule with Custom Authentication.