I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
Security - Single sign-on integrations via Content Engine API Bearer Token Authentication

Hi Ravi

Have you read this article and links within?

https://community.ibm.com/community/user/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

Regards, Kenny

I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
Security - Single sign-on integrations via Content Engine API Bearer Token Authentication

Hi Kenny Dick,

Thanks for your response!

Yes, we did follow the Roger's tech note and with the help of Roger, we successfully implemented OKTA Token authentication in our custom Spring boot REST API with OIDC RP client and interceptors in WebSphere server, which authenticate and authorize every user request and allow the user to download/ add documents with custom REST API.

Now we wanted to make use of CPE 5.5.9 token based authentication feature in our custom REST API. Our understanding is, this new OpenTokenCredentials class will directly authenticate the user token without OIDC RP client, so that we can eliminate the RP client and interceptors dependency.

Please correct me if my understand is wrong and suggest me the steps to make use of OpenTokenCredentials to authenticate the user okta token and allow the user to view/add the documents and please let me know the required token type(web app, API app) and claims.

Thank you!

Hi Ravi

Have you read this article and links within?

https://community.ibm.com/community/user/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

Regards, Kenny

I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
Security - Single sign-on integrations via Content Engine API Bearer Token Authentication

Hi Ravi

Following with interest here as I believe from working with Roger & IBM Support earlier this year that the new capabilities in V5.5.9+ (OpenTokenCredentials) requires the OIDC setup you mention. We certainly required that to use it which is working nicely.

I'll be following this thread now to see what if anything has changed in my understanding of the info shared by Roger and Co earlier.

Regards, Kenny

@ROGER Bacalzo

Hi Kenny Dick,

Thanks for your response!

Yes, we did follow the Roger's tech note and with the help of Roger, we successfully implemented OKTA Token authentication in our custom Spring boot REST API with OIDC RP client and interceptors in WebSphere server, which authenticate and authorize every user request and allow the user to download/ add documents with custom REST API.

Now we wanted to make use of CPE 5.5.9 token based authentication feature in our custom REST API. Our understanding is, this new OpenTokenCredentials class will directly authenticate the user token without OIDC RP client, so that we can eliminate the RP client and interceptors dependency.

Please correct me if my understand is wrong and suggest me the steps to make use of OpenTokenCredentials to authenticate the user okta token and allow the user to view/add the documents and please let me know the required token type(web app, API app) and claims.

Thank you!

Hi Ravi

Have you read this article and links within?

https://community.ibm.com/community/user/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

Regards, Kenny

I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
Security - Single sign-on integrations via Content Engine API Bearer Token Authentication

The Bearer token authentication mechanism introduced in 5.5.9 and described in https://www.ibm.com/docs/en/filenet-p8-platform/5.6.0?topic=authentication-single-sign-integrations-via-content-engine-api-bearer-token, is meant to be used by CPE client applications to send an OAuth/OIDC Bearer token on CPE API requests for authentication.  It requires the client application to obtain this OAuth/OIDC token.

If the CPE client application runs on WebSphere, then this mechanism isn't required, since the CE API can directly obtain the OAuth/OIDC token from the currently logged in user, provided that user authenticated with an Identity Provider that supports OAuth/OIDC. 

This mechanism is primarily useful for those CPE client applications that do not run on WebSphere.  So if you don't want to run your application on WebSphere, then this mechanism gives you the flexibility to run it on any framework you like that supports Java or .NET and use the CPE API to send the OAuth/OIDC token that you've obtained to the CPE server for authentication.  Again, it's your applications responsibility to obtain this OAuth/OIDC token, since you won't be using WebSphere to do it for you.

Hi Ravi

Following with interest here as I believe from working with Roger & IBM Support earlier this year that the new capabilities in V5.5.9+ (OpenTokenCredentials) requires the OIDC setup you mention. We certainly required that to use it which is working nicely.

I'll be following this thread now to see what if anything has changed in my understanding of the info shared by Roger and Co earlier.

Regards, Kenny

@ROGER Bacalzo

Hi Kenny Dick,

Thanks for your response!

Yes, we did follow the Roger's tech note and with the help of Roger, we successfully implemented OKTA Token authentication in our custom Spring boot REST API with OIDC RP client and interceptors in WebSphere server, which authenticate and authorize every user request and allow the user to download/ add documents with custom REST API.

Now we wanted to make use of CPE 5.5.9 token based authentication feature in our custom REST API. Our understanding is, this new OpenTokenCredentials class will directly authenticate the user token without OIDC RP client, so that we can eliminate the RP client and interceptors dependency.

Please correct me if my understand is wrong and suggest me the steps to make use of OpenTokenCredentials to authenticate the user okta token and allow the user to view/add the documents and please let me know the required token type(web app, API app) and claims.

Thank you!

Hi Ravi

Have you read this article and links within?

https://community.ibm.com/community/user/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

Regards, Kenny

I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
Security - Single sign-on integrations via Content Engine API Bearer Token Authentication

Hi Roger,

Thanks for your detailed explanation.

Hope you remember, you helped us to integrate Spring REST API (for FileNet functionalities like document upload and retrieve) with OKTA app (PKCE) using WebSphere OIDC RP client and interceptors. OIDC RP client validate the client token and convert that into LTPA token and with that we are receiving user context in our REST API and creating CPE connection to perform P8 operations. Here RP client and REST API are in WebSphere 9 and CPE is in WebSphere 8.5.5. And REST API is working as expected with the provided token in request header.

Below is our new use case with CPE 5.5.9 OpenTokenCredentials:

Can we use the 5.5.9 OpenTokenCredentials class to authenticate the user token and get CPE connection to perform the P8 operations directly in REST API without OIDC RP client ? If so, what are the prerequisites to implement it. 
FYI.. We just give a try with the given OpenTokenCredentials sample code to get the P8 connection with OKTA access token  but we are getting user not authenticated exception.

Please suggest!

The Bearer token authentication mechanism introduced in 5.5.9 and described in https://www.ibm.com/docs/en/filenet-p8-platform/5.6.0?topic=authentication-single-sign-integrations-via-content-engine-api-bearer-token, is meant to be used by CPE client applications to send an OAuth/OIDC Bearer token on CPE API requests for authentication.  It requires the client application to obtain this OAuth/OIDC token.

If the CPE client application runs on WebSphere, then this mechanism isn't required, since the CE API can directly obtain the OAuth/OIDC token from the currently logged in user, provided that user authenticated with an Identity Provider that supports OAuth/OIDC. 

This mechanism is primarily useful for those CPE client applications that do not run on WebSphere.  So if you don't want to run your application on WebSphere, then this mechanism gives you the flexibility to run it on any framework you like that supports Java or .NET and use the CPE API to send the OAuth/OIDC token that you've obtained to the CPE server for authentication.  Again, it's your applications responsibility to obtain this OAuth/OIDC token, since you won't be using WebSphere to do it for you.

Hi Ravi

Following with interest here as I believe from working with Roger & IBM Support earlier this year that the new capabilities in V5.5.9+ (OpenTokenCredentials) requires the OIDC setup you mention. We certainly required that to use it which is working nicely.

I'll be following this thread now to see what if anything has changed in my understanding of the info shared by Roger and Co earlier.

Regards, Kenny

@ROGER Bacalzo

Hi Kenny Dick,

Thanks for your response!

Yes, we did follow the Roger's tech note and with the help of Roger, we successfully implemented OKTA Token authentication in our custom Spring boot REST API with OIDC RP client and interceptors in WebSphere server, which authenticate and authorize every user request and allow the user to download/ add documents with custom REST API.

Now we wanted to make use of CPE 5.5.9 token based authentication feature in our custom REST API. Our understanding is, this new OpenTokenCredentials class will directly authenticate the user token without OIDC RP client, so that we can eliminate the RP client and interceptors dependency.

Please correct me if my understand is wrong and suggest me the steps to make use of OpenTokenCredentials to authenticate the user okta token and allow the user to view/add the documents and please let me know the required token type(web app, API app) and claims.

Thank you!

Hi Ravi

Have you read this article and links within?

https://community.ibm.com/community/user/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

Regards, Kenny

I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
Security - Single sign-on integrations via Content Engine API Bearer Token Authentication

The OpenTokenCredentials class cannot authenticate a user token.  It is used to take an already authenticated token and pass that on CPE API requests to the CPE server.

You application must authenticate the user token.  If your application is running in WebSphere, that is what the OIDC RP client does for you.

If you want to run your Spring REST API in a different application server or web server, then you must use the mechanisms available on those servers to perform the authentication.

Once the request is authenticated at your Spring REST API, then you can obtain the authenticated token in your application and invoke the CPE API request using the OpenTokenCredentials class. 

Hi Roger,

Thanks for your detailed explanation.

Hope you remember, you helped us to integrate Spring REST API (for FileNet functionalities like document upload and retrieve) with OKTA app (PKCE) using WebSphere OIDC RP client and interceptors. OIDC RP client validate the client token and convert that into LTPA token and with that we are receiving user context in our REST API and creating CPE connection to perform P8 operations. Here RP client and REST API are in WebSphere 9 and CPE is in WebSphere 8.5.5. And REST API is working as expected with the provided token in request header.

Below is our new use case with CPE 5.5.9 OpenTokenCredentials:

Can we use the 5.5.9 OpenTokenCredentials class to authenticate the user token and get CPE connection to perform the P8 operations directly in REST API without OIDC RP client ? If so, what are the prerequisites to implement it. 
FYI.. We just give a try with the given OpenTokenCredentials sample code to get the P8 connection with OKTA access token  but we are getting user not authenticated exception.

Please suggest!

The Bearer token authentication mechanism introduced in 5.5.9 and described in https://www.ibm.com/docs/en/filenet-p8-platform/5.6.0?topic=authentication-single-sign-integrations-via-content-engine-api-bearer-token, is meant to be used by CPE client applications to send an OAuth/OIDC Bearer token on CPE API requests for authentication.  It requires the client application to obtain this OAuth/OIDC token.

If the CPE client application runs on WebSphere, then this mechanism isn't required, since the CE API can directly obtain the OAuth/OIDC token from the currently logged in user, provided that user authenticated with an Identity Provider that supports OAuth/OIDC. 

This mechanism is primarily useful for those CPE client applications that do not run on WebSphere.  So if you don't want to run your application on WebSphere, then this mechanism gives you the flexibility to run it on any framework you like that supports Java or .NET and use the CPE API to send the OAuth/OIDC token that you've obtained to the CPE server for authentication.  Again, it's your applications responsibility to obtain this OAuth/OIDC token, since you won't be using WebSphere to do it for you.

Hi Ravi

Following with interest here as I believe from working with Roger & IBM Support earlier this year that the new capabilities in V5.5.9+ (OpenTokenCredentials) requires the OIDC setup you mention. We certainly required that to use it which is working nicely.

I'll be following this thread now to see what if anything has changed in my understanding of the info shared by Roger and Co earlier.

Regards, Kenny

@ROGER Bacalzo

Hi Kenny Dick,

Thanks for your response!

Yes, we did follow the Roger's tech note and with the help of Roger, we successfully implemented OKTA Token authentication in our custom Spring boot REST API with OIDC RP client and interceptors in WebSphere server, which authenticate and authorize every user request and allow the user to download/ add documents with custom REST API.

Now we wanted to make use of CPE 5.5.9 token based authentication feature in our custom REST API. Our understanding is, this new OpenTokenCredentials class will directly authenticate the user token without OIDC RP client, so that we can eliminate the RP client and interceptors dependency.

Please correct me if my understand is wrong and suggest me the steps to make use of OpenTokenCredentials to authenticate the user okta token and allow the user to view/add the documents and please let me know the required token type(web app, API app) and claims.

Thank you!

Hi Ravi

Have you read this article and links within?

https://community.ibm.com/community/user/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

Regards, Kenny

I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
Security - Single sign-on integrations via Content Engine API Bearer Token Authentication

Also, if you are passing the OAuth/OIDC token received from Okta to the CPE Server using the OpenTokenCredentials, make sure the CPE server has also been configured to authenticate these tokens with a WebSphere OIDC RP configuration. 

If you were previously passing an LTPA token to the CPE server, then you did not need the CPE OIDC RP configuration.  Now that you are passing an OAuth/OIDC token to the CPE server, you need CPE's WebShere instance to process this token via an OIDC RP configuration.

The OpenTokenCredentials class cannot authenticate a user token.  It is used to take an already authenticated token and pass that on CPE API requests to the CPE server.

You application must authenticate the user token.  If your application is running in WebSphere, that is what the OIDC RP client does for you.

If you want to run your Spring REST API in a different application server or web server, then you must use the mechanisms available on those servers to perform the authentication.

Once the request is authenticated at your Spring REST API, then you can obtain the authenticated token in your application and invoke the CPE API request using the OpenTokenCredentials class. 

Hi Roger,

Thanks for your detailed explanation.

Hope you remember, you helped us to integrate Spring REST API (for FileNet functionalities like document upload and retrieve) with OKTA app (PKCE) using WebSphere OIDC RP client and interceptors. OIDC RP client validate the client token and convert that into LTPA token and with that we are receiving user context in our REST API and creating CPE connection to perform P8 operations. Here RP client and REST API are in WebSphere 9 and CPE is in WebSphere 8.5.5. And REST API is working as expected with the provided token in request header.

Below is our new use case with CPE 5.5.9 OpenTokenCredentials:

Can we use the 5.5.9 OpenTokenCredentials class to authenticate the user token and get CPE connection to perform the P8 operations directly in REST API without OIDC RP client ? If so, what are the prerequisites to implement it. 
FYI.. We just give a try with the given OpenTokenCredentials sample code to get the P8 connection with OKTA access token  but we are getting user not authenticated exception.

Please suggest!

The Bearer token authentication mechanism introduced in 5.5.9 and described in https://www.ibm.com/docs/en/filenet-p8-platform/5.6.0?topic=authentication-single-sign-integrations-via-content-engine-api-bearer-token, is meant to be used by CPE client applications to send an OAuth/OIDC Bearer token on CPE API requests for authentication.  It requires the client application to obtain this OAuth/OIDC token.

If the CPE client application runs on WebSphere, then this mechanism isn't required, since the CE API can directly obtain the OAuth/OIDC token from the currently logged in user, provided that user authenticated with an Identity Provider that supports OAuth/OIDC. 

This mechanism is primarily useful for those CPE client applications that do not run on WebSphere.  So if you don't want to run your application on WebSphere, then this mechanism gives you the flexibility to run it on any framework you like that supports Java or .NET and use the CPE API to send the OAuth/OIDC token that you've obtained to the CPE server for authentication.  Again, it's your applications responsibility to obtain this OAuth/OIDC token, since you won't be using WebSphere to do it for you.

Hi Ravi

Following with interest here as I believe from working with Roger & IBM Support earlier this year that the new capabilities in V5.5.9+ (OpenTokenCredentials) requires the OIDC setup you mention. We certainly required that to use it which is working nicely.

I'll be following this thread now to see what if anything has changed in my understanding of the info shared by Roger and Co earlier.

Regards, Kenny

@ROGER Bacalzo

Hi Kenny Dick,

Thanks for your response!

Yes, we did follow the Roger's tech note and with the help of Roger, we successfully implemented OKTA Token authentication in our custom Spring boot REST API with OIDC RP client and interceptors in WebSphere server, which authenticate and authorize every user request and allow the user to download/ add documents with custom REST API.

Now we wanted to make use of CPE 5.5.9 token based authentication feature in our custom REST API. Our understanding is, this new OpenTokenCredentials class will directly authenticate the user token without OIDC RP client, so that we can eliminate the RP client and interceptors dependency.

Please correct me if my understand is wrong and suggest me the steps to make use of OpenTokenCredentials to authenticate the user okta token and allow the user to view/add the documents and please let me know the required token type(web app, API app) and claims.

Thank you!

Hi Ravi

Have you read this article and links within?

https://community.ibm.com/community/user/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

Regards, Kenny

I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
Security - Single sign-on integrations via Content Engine API Bearer Token Authentication

Also, if you are passing the OAuth/OIDC token received from Okta to the CPE Server using the OpenTokenCredentials, make sure the CPE server has also been configured to authenticate these tokens with a WebSphere OIDC RP configuration. 

If you were previously passing an LTPA token to the CPE server, then you did not need the CPE OIDC RP configuration.  Now that you are passing an OAuth/OIDC token to the CPE server, you need CPE's WebShere instance to process this token via an OIDC RP configuration.

The OpenTokenCredentials class cannot authenticate a user token.  It is used to take an already authenticated token and pass that on CPE API requests to the CPE server.

You application must authenticate the user token.  If your application is running in WebSphere, that is what the OIDC RP client does for you.

If you want to run your Spring REST API in a different application server or web server, then you must use the mechanisms available on those servers to perform the authentication.

Once the request is authenticated at your Spring REST API, then you can obtain the authenticated token in your application and invoke the CPE API request using the OpenTokenCredentials class. 

Hi Roger,

Thanks for your detailed explanation.

Hope you remember, you helped us to integrate Spring REST API (for FileNet functionalities like document upload and retrieve) with OKTA app (PKCE) using WebSphere OIDC RP client and interceptors. OIDC RP client validate the client token and convert that into LTPA token and with that we are receiving user context in our REST API and creating CPE connection to perform P8 operations. Here RP client and REST API are in WebSphere 9 and CPE is in WebSphere 8.5.5. And REST API is working as expected with the provided token in request header.

Below is our new use case with CPE 5.5.9 OpenTokenCredentials:

Can we use the 5.5.9 OpenTokenCredentials class to authenticate the user token and get CPE connection to perform the P8 operations directly in REST API without OIDC RP client ? If so, what are the prerequisites to implement it. 
FYI.. We just give a try with the given OpenTokenCredentials sample code to get the P8 connection with OKTA access token  but we are getting user not authenticated exception.

Please suggest!

The Bearer token authentication mechanism introduced in 5.5.9 and described in https://www.ibm.com/docs/en/filenet-p8-platform/5.6.0?topic=authentication-single-sign-integrations-via-content-engine-api-bearer-token, is meant to be used by CPE client applications to send an OAuth/OIDC Bearer token on CPE API requests for authentication.  It requires the client application to obtain this OAuth/OIDC token.

If the CPE client application runs on WebSphere, then this mechanism isn't required, since the CE API can directly obtain the OAuth/OIDC token from the currently logged in user, provided that user authenticated with an Identity Provider that supports OAuth/OIDC. 

This mechanism is primarily useful for those CPE client applications that do not run on WebSphere.  So if you don't want to run your application on WebSphere, then this mechanism gives you the flexibility to run it on any framework you like that supports Java or .NET and use the CPE API to send the OAuth/OIDC token that you've obtained to the CPE server for authentication.  Again, it's your applications responsibility to obtain this OAuth/OIDC token, since you won't be using WebSphere to do it for you.

Hi Ravi

Following with interest here as I believe from working with Roger & IBM Support earlier this year that the new capabilities in V5.5.9+ (OpenTokenCredentials) requires the OIDC setup you mention. We certainly required that to use it which is working nicely.

I'll be following this thread now to see what if anything has changed in my understanding of the info shared by Roger and Co earlier.

Regards, Kenny

@ROGER Bacalzo

Hi Kenny Dick,

Thanks for your response!

Yes, we did follow the Roger's tech note and with the help of Roger, we successfully implemented OKTA Token authentication in our custom Spring boot REST API with OIDC RP client and interceptors in WebSphere server, which authenticate and authorize every user request and allow the user to download/ add documents with custom REST API.

Now we wanted to make use of CPE 5.5.9 token based authentication feature in our custom REST API. Our understanding is, this new OpenTokenCredentials class will directly authenticate the user token without OIDC RP client, so that we can eliminate the RP client and interceptors dependency.

Please correct me if my understand is wrong and suggest me the steps to make use of OpenTokenCredentials to authenticate the user okta token and allow the user to view/add the documents and please let me know the required token type(web app, API app) and claims.

Thank you!

Hi Ravi

Have you read this article and links within?

https://community.ibm.com/community/user/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

Regards, Kenny

I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
Security - Single sign-on integrations via Content Engine API Bearer Token Authentication

Hi Roger,

As per your suggestion, we tried with OIDC RP client with test app which has OpenTokenCredential token based authentication and it looks good.
Thanks for your inputs to make it works.

We have other challenge I wanted to check with you, Hope you remember we did setup OIDC interceptors for our REST API to authenticate the user token and it is working as expected.

Now we wanted to add one more provider for the same REST API with same filter and with different issuerIdentifier, jwkEndpointUrl, userIdentifier.

But when we pass the token which is generate with new okta issuer and we are not getting caller subject in our REST API and as per the trace log it is referring other provider jwkEndpointUrl to validate the token.

Could you please suggest us if there is any way to differentiate the call to validate the token even if we use same filter with different issuerIdentifier, jwkEndpointUrl, userIdentifier?

Thank you so much for all your assistance! 

Also, if you are passing the OAuth/OIDC token received from Okta to the CPE Server using the OpenTokenCredentials, make sure the CPE server has also been configured to authenticate these tokens with a WebSphere OIDC RP configuration. 

If you were previously passing an LTPA token to the CPE server, then you did not need the CPE OIDC RP configuration.  Now that you are passing an OAuth/OIDC token to the CPE server, you need CPE's WebShere instance to process this token via an OIDC RP configuration.

The OpenTokenCredentials class cannot authenticate a user token.  It is used to take an already authenticated token and pass that on CPE API requests to the CPE server.

You application must authenticate the user token.  If your application is running in WebSphere, that is what the OIDC RP client does for you.

If you want to run your Spring REST API in a different application server or web server, then you must use the mechanisms available on those servers to perform the authentication.

Once the request is authenticated at your Spring REST API, then you can obtain the authenticated token in your application and invoke the CPE API request using the OpenTokenCredentials class. 

Hi Roger,

Thanks for your detailed explanation.

Hope you remember, you helped us to integrate Spring REST API (for FileNet functionalities like document upload and retrieve) with OKTA app (PKCE) using WebSphere OIDC RP client and interceptors. OIDC RP client validate the client token and convert that into LTPA token and with that we are receiving user context in our REST API and creating CPE connection to perform P8 operations. Here RP client and REST API are in WebSphere 9 and CPE is in WebSphere 8.5.5. And REST API is working as expected with the provided token in request header.

Below is our new use case with CPE 5.5.9 OpenTokenCredentials:

Can we use the 5.5.9 OpenTokenCredentials class to authenticate the user token and get CPE connection to perform the P8 operations directly in REST API without OIDC RP client ? If so, what are the prerequisites to implement it. 
FYI.. We just give a try with the given OpenTokenCredentials sample code to get the P8 connection with OKTA access token  but we are getting user not authenticated exception.

Please suggest!

The Bearer token authentication mechanism introduced in 5.5.9 and described in https://www.ibm.com/docs/en/filenet-p8-platform/5.6.0?topic=authentication-single-sign-integrations-via-content-engine-api-bearer-token, is meant to be used by CPE client applications to send an OAuth/OIDC Bearer token on CPE API requests for authentication.  It requires the client application to obtain this OAuth/OIDC token.

If the CPE client application runs on WebSphere, then this mechanism isn't required, since the CE API can directly obtain the OAuth/OIDC token from the currently logged in user, provided that user authenticated with an Identity Provider that supports OAuth/OIDC. 

This mechanism is primarily useful for those CPE client applications that do not run on WebSphere.  So if you don't want to run your application on WebSphere, then this mechanism gives you the flexibility to run it on any framework you like that supports Java or .NET and use the CPE API to send the OAuth/OIDC token that you've obtained to the CPE server for authentication.  Again, it's your applications responsibility to obtain this OAuth/OIDC token, since you won't be using WebSphere to do it for you.

Hi Ravi

Following with interest here as I believe from working with Roger & IBM Support earlier this year that the new capabilities in V5.5.9+ (OpenTokenCredentials) requires the OIDC setup you mention. We certainly required that to use it which is working nicely.

I'll be following this thread now to see what if anything has changed in my understanding of the info shared by Roger and Co earlier.

Regards, Kenny

@ROGER Bacalzo

Hi Kenny Dick,

Thanks for your response!

Yes, we did follow the Roger's tech note and with the help of Roger, we successfully implemented OKTA Token authentication in our custom Spring boot REST API with OIDC RP client and interceptors in WebSphere server, which authenticate and authorize every user request and allow the user to download/ add documents with custom REST API.

Now we wanted to make use of CPE 5.5.9 token based authentication feature in our custom REST API. Our understanding is, this new OpenTokenCredentials class will directly authenticate the user token without OIDC RP client, so that we can eliminate the RP client and interceptors dependency.

Please correct me if my understand is wrong and suggest me the steps to make use of OpenTokenCredentials to authenticate the user okta token and allow the user to view/add the documents and please let me know the required token type(web app, API app) and claims.

Thank you!

Hi Ravi

Have you read this article and links within?

https://community.ibm.com/community/user/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

Regards, Kenny

I am trying to get the P8 connections with OKTA token but it is saying user not authenticated with the sample code given in the below tech note link. Can any one suggest me with the required steps to generate the required OKTA token with any specific claims and authenticate it P8.
Security - Single sign-on integrations via Content Engine API Bearer Token Authentication