In this article we will see how you can make your active directory authentication with AgilePoint NX more secure using a Bearer token.
Before we dive into this topic, lets understand the terminology around Bearer tokens and JSON Web Token (JWT) token as they are used interchangeably.
JWT is an encoding standard for tokens that contains a JSON data payload that can be signed and encrypted.
JWT can be used for many things, among those are bearer tokens, i.e. a piece of information that you can present to some service that by virtue of you having it (you being the “bearer”) grants you access to something.
So JWT is a particular type of token, and JWT can absolutely be used as an Bearer token which is what we are going to do.
By default, when user logs in to AgilePoint portal with Active Directory authentication, AgilePoint Portal uses the basic authentication mechanism to call AgilePoint server APIs.
In basic HTTP authentication, a request contains an authorization header where credentials are passed as base64 encoded string of username and password joined by a single colon (:). Basic authentication is specified in RFC 7617 from 2015 and is an industry standard.
Though basic authentication headers can be secured using SSL certificate and as I said, it is used as a industry standard by lot of systems, if you don’t prefer to use basic authentication, AgilePoint always supported wide range of different authentication providers which are token based for e.g. Azure Active Directory, ADFS, Okta, Salesforce, Identity Server 4, Ping Federate, Google etc. which not only uses a secure Bearer token but also provides Single Sign On.
However customers might want to stick to Active Directory as a provider but at the same time not to use basic authentication for interaction with AgilePoint Server as the base64 encoded credentials will be stored in the cookie to be used by UI elements to call AgilePoint APIs directly.
Starting AgilePoint NX 7.0 Software Update 2, you can configure AgilePoint Portal, SharePoint OnPrem and Mobile Apps to use Active Directory as provider but use bearer token instead of basic authentication to call AgilePoint APIs.
This is achieved using an inbuilt JWT token provider in the engine which takes user credentials as part of first server to server call and generates an encrypted JWT token signed by a secured key phrase or a certificate which can only be decrypted by AgilePoint server making the communication secure.
Here is a short video on how you can configure this feature