Content Management and Capture

Content Management and Capture

Come for answers. Stay for best practices. All we’re missing is you.

 View Only
Expand all | Collapse all

FileNet Token based authentication

  • 1.  FileNet Token based authentication

    Posted Tue April 29, 2025 04:58 PM

    I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
    Security - Single sign-on integrations via Content Engine API Bearer Token Authentication

    Ibm remove preview
    Security - Single sign-on integrations via Content Engine API Bearer Token Authentication
    The Bearer Token Authentication support added to the Content Engine API allows any client, regardless of whether it runs in an application server, standalone java application, or servlet, to pass a user's identity for Single sign-on to the Content Platform Engine server.
    View this on Ibm >

     



    ------------------------------
    Ravi Kiran Saladi
    ------------------------------


  • 2.  RE: FileNet Token based authentication

    Posted Wed April 30, 2025 09:41 AM

    Hi Ravi

    Have you read this article and links within?

    https://community.ibm.com/community/user/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

    Regards, Kenny



    ------------------------------
    Kenny Dick
    ------------------------------



  • 3.  RE: FileNet Token based authentication

    Posted Mon May 05, 2025 09:27 AM

    Hi Kenny Dick,

    Thanks for your response!

    Yes, we did follow the Roger's tech note and with the help of Roger, we successfully implemented OKTA Token authentication in our custom Spring boot REST API with OIDC RP client and interceptors in WebSphere server, which authenticate and authorize every user request and allow the user to download/ add documents with custom REST API.

    Now we wanted to make use of CPE 5.5.9 token based authentication feature in our custom REST API. Our understanding is, this new OpenTokenCredentials class will directly authenticate the user token without OIDC RP client, so that we can eliminate the RP client and interceptors dependency.

    Please correct me if my understand is wrong and suggest me the steps to make use of OpenTokenCredentials to authenticate the user okta token and allow the user to view/add the documents and please let me know the required token type(web app, API app) and claims.

    Thank you!



    ------------------------------
    Ravi Kiran Saladi
    ------------------------------



  • 4.  RE: FileNet Token based authentication

    Posted Mon May 05, 2025 10:43 AM

    Hi Ravi

    Following with interest here as I believe from working with Roger & IBM Support earlier this year that the new capabilities in V5.5.9+ (OpenTokenCredentials) requires the OIDC setup you mention. We certainly required that to use it which is working nicely.

    I'll be following this thread now to see what if anything has changed in my understanding of the info shared by Roger and Co earlier.

    Regards, Kenny

    @ROGER Bacalzo



    ------------------------------
    Kenny Dick
    ------------------------------



  • 5.  RE: FileNet Token based authentication

    Posted Mon May 05, 2025 01:02 PM

    The Bearer token authentication mechanism introduced in 5.5.9 and described in https://www.ibm.com/docs/en/filenet-p8-platform/5.6.0?topic=authentication-single-sign-integrations-via-content-engine-api-bearer-token, is meant to be used by CPE client applications to send an OAuth/OIDC Bearer token on CPE API requests for authentication.  It requires the client application to obtain this OAuth/OIDC token.

    If the CPE client application runs on WebSphere, then this mechanism isn't required, since the CE API can directly obtain the OAuth/OIDC token from the currently logged in user, provided that user authenticated with an Identity Provider that supports OAuth/OIDC. 

    This mechanism is primarily useful for those CPE client applications that do not run on WebSphere.  So if you don't want to run your application on WebSphere, then this mechanism gives you the flexibility to run it on any framework you like that supports Java or .NET and use the CPE API to send the OAuth/OIDC token that you've obtained to the CPE server for authentication.  Again, it's your applications responsibility to obtain this OAuth/OIDC token, since you won't be using WebSphere to do it for you.



    ------------------------------
    ROGER Bacalzo
    ------------------------------



  • 6.  RE: FileNet Token based authentication

    Posted Tue May 06, 2025 12:58 PM

    Hi Roger,

    Thanks for your detailed explanation.

    Hope you remember, you helped us to integrate Spring REST API (for FileNet functionalities like document upload and retrieve) with OKTA app (PKCE) using WebSphere OIDC RP client and interceptors. OIDC RP client validate the client token and convert that into LTPA token and with that we are receiving user context in our REST API and creating CPE connection to perform P8 operations. Here RP client and REST API are in WebSphere 9 and CPE is in WebSphere 8.5.5. And REST API is working as expected with the provided token in request header.

    Below is our new use case with CPE 5.5.9 OpenTokenCredentials:

    Can we use the 5.5.9 OpenTokenCredentials class to authenticate the user token and get CPE connection to perform the P8 operations directly in REST API without OIDC RP client ? If so, what are the prerequisites to implement it. 
    FYI.. We just give a try with the given OpenTokenCredentials sample code to get the P8 connection with OKTA access token  but we are getting user not authenticated exception.

    Please suggest!



    ------------------------------
    Ravi Kiran Saladi
    ------------------------------



  • 7.  RE: FileNet Token based authentication

    Posted Tue May 06, 2025 04:56 PM

    The OpenTokenCredentials class cannot authenticate a user token.  It is used to take an already authenticated token and pass that on CPE API requests to the CPE server.

    You application must authenticate the user token.  If your application is running in WebSphere, that is what the OIDC RP client does for you.

    If you want to run your Spring REST API in a different application server or web server, then you must use the mechanisms available on those servers to perform the authentication.

    Once the request is authenticated at your Spring REST API, then you can obtain the authenticated token in your application and invoke the CPE API request using the OpenTokenCredentials class. 



    ------------------------------
    ROGER Bacalzo
    ------------------------------



  • 8.  RE: FileNet Token based authentication

    Posted Tue May 06, 2025 07:57 PM

    Also, if you are passing the OAuth/OIDC token received from Okta to the CPE Server using the OpenTokenCredentials, make sure the CPE server has also been configured to authenticate these tokens with a WebSphere OIDC RP configuration. 

    If you were previously passing an LTPA token to the CPE server, then you did not need the CPE OIDC RP configuration.  Now that you are passing an OAuth/OIDC token to the CPE server, you need CPE's WebShere instance to process this token via an OIDC RP configuration.



    ------------------------------
    ROGER Bacalzo
    ------------------------------



  • 9.  RE: FileNet Token based authentication

    Posted Fri May 09, 2025 04:45 PM

    Hi everyone,
    My tests with Liberty feature mpJwt-2.1 and ADFS JWT (and Spring Boot 3, but that doesn't really matter) work without the class. As far as I understand, authentication to CPE continues with LTPA.
    @Ravi Maybe you could consider migrating to Liberty.



    ------------------------------
    Andrey Voronin
    ------------------------------