When connecting to a Document Management System via the CMIS standard, you may need to use Json Web Tokens tokens for authentication purposes. This article describes the steps needed to configure the CMIS plugin to use JWT authentication. The CMIS plugin has the possibility to configure a custom authentication provider through the property 'blueriq.cmis.authProviderClassName' in 'application-cmis-client.properties', a custom authentication provider for JWT is included in the CMIS plugin. Please note that when the property 'blueriq.cmis.authProviderClassName' is set, basic authentication (blueriq.cmis.user, blueriq.cmis.password) is no longer applied.

Json Web Token custom authentication provider

The JWT standard specifies a web friendly token format, somewhat comparable to SAML Assertions. The token usually contains claims about someones identity and roles, the system that issued the token, the system that the token is intended for and when the token expires. JWTs are often cryptographically signed and can be compressed and/or encrypted as well.

The Blueriq JWT authentication provider currently only supports 'SHA256withRSA' to cryptographically sign the JWTs. The RSA private key and X.509 certificate are loaded from a Java keystore. Generated JWTs expire one hour after they are generated. It is entirely up to the receiving system to validate the JWTs. Use the 'x5t#S256' or 'x5t' certificate thumbprint header to select the correct RSA public key for signature validation.

Key store example

<JAVA_HOME>\bin\keytool -list -keystore test_keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

example_only_cert, 12-nov-2015, trustedCertEntry,
Certificate fingerprint (SHA1): EA:1A:31:BB:6C:A5:70:B0:A8:CB:BA:18:CA:AD:D4:6A:D1:0A:50:99
example, 11-nov-2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 55:BD:8F:4A:97:B4:76:FB:02:D6:6B:50:AC:D7:94:13:86:FC:91:4B

JWT example

  "x5t": "Vb2PSpe0dvsC1mtQrNeUE4b8kUs",
  "alg": "RS256"

  "iss": "CompanyName",
  "aud": "IBM Filenet",
  "sub": "CMIS",
  "idp": "active directory",
  "nbf": 1450537298,
  "exp": 1450540898,
  "iat": 1450537298,
  "identity": "employee@company.com"

JWT properties

To use the JWT authentication provider set 'blueriq.cmis.authProviderClassName' to 'com.blueriq.component.cmis.client.impl.jwt.JwtAuthenticationProvider'. The claims to put in the JWT should be configured in 'application-cmis-client.properties'. All property names that start with 'blueriq.cmis.authProviderConfiguration.jwt.claims.' are interpreted as claims with fixed values. For example 'blueriq.cmis.authProviderConfiguration.jwt.claims.idp=digid' will add a claim named 'idp' with the value 'digid'. All properties for JWT have a descriptive comment in the 'application-cmis-client.properties' file.

1 Comment

  1. Voor in ieder geval BQ10 en hoger zou de authProvider classname het volgende moeten zijn: "com.blueriq.component.cmis.client.impl.jwt.JwtAuthenticationProvider"