You can translate the question and the replies:

Need information on enabling JWT for authentication of Rest/OData Webservices on VDP

We're planning to implement OAuth/JWT based authentication for Rest and Odata webservices exposed by the Denodo VDP.We've gone through through the documentation that provides details around this: https://community.denodo.com/docs/html/browse/8.0/en/vdp/administration/server_configuration/server_authentication/oauth_authentication/oauth_authentication https://community.denodo.com/docs/html/browse/8.0/en/vdp/administration/server_configuration/server_authentication/oauth_authentication/setting-up_the_oauth_authentication_in_the_virtual_dataport_server However we still have few questions for which we need your help: 1.We're planning to implement a client credentials flow, as the client that would be authenticating to Denodo APIs would be a system and there won't be any ctive user behind the scene so we want to check whether Denodo would support that. 2.In the first link it talks about providing the user's role in the JWT under scope r scp attribute in JWT. The role would be the privilege defined in Denodo for a particular VDB that the user wants to connect.In the present situation we've kerberos enabled for authentication and the client is sending a service account which is verified against our LDAP to get the group ownership and the name of the group matches the role defined.I'm not sure how we can achieve this using JWT and client credentials flow.Our Idp is Microsoft Azure Active Directory, do you have any customer trying somethng similar. We'd want to get some guidance for enabling OAuth JWT. Anyone has any idea or suggestion would be of great help.
user
20-06-2022 12:08:17 -0400
code

3 Answers

Hi, In general, the **client credential flow** grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. These types of applications are often referred to as **daemons or service accounts**. If your identity provider is capable of supporting client credentials flow and able to provide access tokens to the target Denodo REST/SOAP Web service this flow can be used and there are no barriers on the Denodo side in this aspect. Regarding your second question, when a JWT token does not contain a field to obtain the name of the scopes, you can use either **Global or custom LDAP configuration** to obtain the role name from the LDAP systems. When using this approach the **“Subject field name”** attribute in the JWT token must contain the service account name that should have returned the roles/groups information from the LDAP system. The Global/Custom LDAP configuration to obtain the role information for an OAuth authentication can be configured in** Administration> Server Configuration > Server authentication > OAuth > Role configuration**. You can have a look at the Knowledge Base article[ How to configure published web services with Oauth and Azure AD](https://community.denodo.com/kb/en/view/document/How%20to%20configure%20published%20web%20services%20with%20Oauth%20and%20Azure%20AD) for more information. Hope this helps!
Denodo Team
21-06-2022 04:58:10 -0400
code
Hi Denodo team - I am in a similarr situation. Following your advise, I cannot see "**role configuration**" under Administration> Server Configuration > Server authentication in the VDP Admin tool I am using Denodo Platform 8 and have installed update 20220126 on the server and the VDP Admin tool. Is the "**role configuration**" option added in an update after this one ?
user
10-08-2022 05:27:08 -0400
Hi, I would be able to configure the Global/Custom LDAP configuration to obtain the role information for an OAuth authentication by following the steps mentioned below in the Virtual DataPort Administration tool: * Navigate to *Administration > Server Configuration > Server authentication * * Select the **OAuth (wizard)** * Now choose any of the below options in the **Role configuration(Section)** to use Global/Custom LDAP configuration: * **Use Global LDAP configuration**: It will use the global LDAP configuration to retrieve the user roles from the LDAP server. * **Use custom LDAP configuration:** It will use the specific configuration defined in the dialogue to retrieve the user roles from the LDAP server. Hope this helps!
Denodo Team
10-08-2022 08:00:17 -0400
code
You must sign in to add an answer. If you do not have an account, you can register here