You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.

An AQ_RestServiceClient service call can forward the access token of the currently logged in user to the called web service. In order to enable this functionality, the following configuration is required:

  • the Runtime must be configured to use OpenID Connect login
  • the HTTP connection used by the given AQ_RestServiceClient service call must be configured to use OpenID Connect authentication


Example configuration:

# the Runtime must be configured to use OpenID Connect login
blueriq.security.login-type=openid-connect


# the HTTP connection must be configured to use OpenID Connect authentication
blueriq.connection.Example.http.url=http://example.com/rest/service
blueriq.connection.Example.http.authentication=openid-connect

See AQ_RestServiceClient for more information about how to define the HTTP connection for an AQ_RestServiceClient service call.

When an HTTP connection is configured with openid-connect authentication type, it must not be configured with username, password or domain. Having both openid-connect authentication and username/password/domain defined at the same time is considered a configuration error.


When the REST service definition used by the AQ_RestServiceClient uses the Authorization header in the request definition, the value of the Authorization header is overwritten with the access token of the currently logged in user, if one exists. The validity (and in particular the expiration date) of the access token is not checked. It is up to the receiving service to validate the token and return an error if the token is not acceptable for any reason (eg. expired, not issued by the identity provider expected by the remote service, the user is not granted access to the remote service based on the user/role/team information in the access token, etc). If the remote service rejects the access token (by returning a 4xx or 5xx status code, typically 401 or 403), the AQ_RestServiceClient will take the exception exit.


When an AQ_RestServiceClient using openid-connect authentication is executed, and there is no currently logged in user (eg. when the project did not require authentication when starting), or if the currently logged in user was not authenticated via OpenID Connect, no Authorization header is added. If an Authorization header was used in the model, it is left unchanged.

  • No labels