5. AQ_RestServiceClient

An AQ_RestServiceClient service call can forward the access token of the currently logged in user to the called web service. In order to enable this functionality, the following configuration is required:

• the Runtime must be configured to use OpenID Connect login
• the HTTP connection used by the given AQ_RestServiceClient service call must be configured to use OpenID Connect authentication

Example configuration:

# the Runtime must be configured to use OpenID Connect login
blueriq.security.login-type=openid-connect


# the HTTP connection must be configured to use OpenID Connect authentication
blueriq.connection.Example.http.url=http://example.com/rest/service
blueriq.connection.Example.http.authentication=openid-connect

When the REST service definition used by the AQ_RestServiceClient uses the Authorization header in the request definition, the value of the Authorization header is overwritten with the access token of the currently logged in user, if one exists. The validity (and in particular the expiration date) of the access token is not checked. It is up to the receiving service to validate the token and return an error if the token is not acceptable for any reason (eg. expired, not issued by the identity provider expected by the remote service, the user is not granted access to the remote service based on the user/role/team information in the access token, etc). If the remote service rejects the access token (by returning a 4xx or 5xx status code, typically 401 or 403), the AQ_RestServiceClient will take the exception exit.

When an AQ_RestServiceClient using openid-connect authentication is executed, and there is no currently logged in user (eg. when the project did not require authentication when starting), or if the currently logged in user was not authenticated via OpenID Connect, no Authorization header is added. If an Authorization header was used in the model, it is left unchanged.