Get JWT Authentication from Keycloak in BAW
Obtain a JWT token from Keycloak to authenticate REST API calls from IBM BAW to IBM DevOps Solution Workbench.
Descriptionโ
When consuming REST APIs provided by the Workbench from IBM Business Automation Workflow (BAW), authentication is required. This How-To describes the process of obtaining a JWT (JSON Web Token) automatically from the Identity Provider (Keycloak) in IBM DevOps Solution Workbench to authenticate your API calls from BAW.
The JWT token is obtained using client credentials flow, which allows BAW to authenticate with Keycloak directly without user interaction. This approach is suitable for server-to-server communication between BAW and IBM DevOps Solution Workbench.
Preconditionsโ
- API Design: You have designed the REST API in Solution Designer
- Implementation: You have implemented and pushed the REST API successfully
- Deployment: The deploy pipeline for this Project has completed successfully
- Keycloak Credentials: A client is created in your Keycloak instance with clientId and clientSecret available to you
Step-by-Step Guideโ
1. Prepare Keycloak Token Configurationโ
1.1. Download Template:
- Download the template file: keycloak_token.json
1.2. Adjust Configuration:
- Open the downloaded file and adjust the following:
- Update the
hostfield to point to your Keycloak instance - Verify and adjust the
pathsto match your Keycloak endpoints
- Update the
2. Create BAW Integration Componentsโ
2.1. Create Toolkit:
- Create a new toolkit in BAW for reusability across different applications
2.2. Configure Environment Variables:
- Add the following environment variables:
CLIENT_ID: Your Keycloak client IDCLIENT_SECRET: Your Keycloak client secret
2.3. Create External REST Service:
- In BAW, create an external REST service by uploading the adjusted
keycloak_token.jsonfile - Follow the wizard with default settings
2.4. Configure SSL Settings:
- In the created server configuration, set
CellDefaultSSLSettingsas the SSL setting
3. Implement Token Retrievalโ
3.1. Create Service Flow:
- Create a new service flow named
getToken - Add
jwtas an output variable
3.2. Add Authentication Script:
-
Include the following JavaScript code in your service flow:
var request = new BPMRESTRequest();
request.externalServiceName = "keycloak_token";
request.operationName = "GetToken";
request.httpHeaders = {
"Cache-Cpontrol": "no-cache",
"Content-Type": "application/x-www-form-urlencoded",
Accept: "application/json"
};
request.parameters = {
grant_type: "client_credentials",
client_id: tw.env.CLIENT_ID,
client_secret: tw.env.CLIENT_SECRET,
scope: "openid"
};
var response = tw.system.invokeREST(request);
if (response.httpStatusCode === 200) {
var content = response.content.replace(/not-before-policy/, "not_before_policy"); // BPM data type props must not have '-' chars
var result = JSON.parse(content);
tw.local.jwt = result.access_token;
} else if (response.httpStatusCode >= 400) {
var error = JSON.parse(response.content);
throw new Error(error.error_description);
} else {
throw new Error("General error");
}
4. Configure SSL Trust (If Needed)โ
4.1. Add Trust for Keycloak Endpoint:
- If you encounter SSL errors, configure trust in WebSphere Application Server:
- Navigate to: Security โ SSL certificate and key management โ Key stores and certificates �โ CellDefaultTrustStore โ Signer certificates โ Retrieve from port
- Enter your Keycloak environment details (hostname and port)
- Complete the certificate import process
5. Using the Token in API Callsโ
5.1. Call the Token Service:
- In your BAW processes, first call the
getTokenservice flow - The service returns the JWT token in the
jwtoutput variable
5.2. Include Token in API Calls:
- Use the returned token in the Authorization header when calling Workbench APIs:
- Add header:
Authorization: Bearer [jwt value]
Conclusionโ
Congratulations! You have successfully established the JWT authentication between the Workbench and BAW. You can now use the token to authenticate REST API calls from BAW to IBM DevOps Solution Workbench services.