REST API security issues are best handled through API management software that can authorize users for REST APIs on z/TPF. The API management layer can perform the authorization before sending the request into z/TPF. As far as what the z/TPF system understands regarding the authorization is up to the application. The REST provider support allows REST APIs to be defined through OpenAPI in which something like an OAuth header can be defined to pass authorization information. It is up to the z/TPF application to process the header data which could be stored by DFDL as a string. There is no specific JWT support apart from creating a Java application on z/TPF to handle the request.
If a JWT needs to be handled on z/TPF, there are several functions that can be employed such as tpf_base64Encode/tpf_base64Decode and tpf_RSA_sign/tpf_RSA_verify, or an idea can be opened if there's a business need to more easily handle such data by the application. Let me know if this helps.
------------------------------
Bradd Kadlecik
------------------------------
Original Message:
Sent: Tue October 24, 2023 11:33 AM
From: Pavankumar Prabhu
Subject: Does z/TPF Rest API support JWT token utility in TPF system?
Hi, It is amazing that we are in a world where z/TPF have moved on from XMLs and into Rest APIs. Considering the current world on with security issues which is handled by a middle layer which consists of a Java Application which does authorize bearer tokens from users/consumers providing authorization and sending request to z/TPF via DFDLs. I am thinking of a use case where consumers directly hitting a z/TPF applications via Rest API. Does z/TPF support JWT token utility in TPF system? What is the best way to handle such scenarios? Many Thanks
------------------------------
Pavankumar Prabhu
------------------------------