Do we have a step by step guide on how to setup token based authentication for the jsreport API for consuming the reports?
-
Please guide us with this configuration process to implement JWT-based Bearer token authentication for the jsreport APIs.
-
This is all we have now...
https://jsreport.net/learn/authentication#authentication-using-an-authorization-server
https://jsreport.net/blog/single-sign-on-with-keycloak
-
We are using JWT secret key, JWT Issuer and JWT Audience.
How to use these values in jsreport.config.json to validate incoming API requests?
-
for the Token based authentication the steps described here are all that we support currently, not sure if it is possible right now to support a token that requires a secret key, issuer and audience to be validated.
however, we support sending extra values when doing the request to validate the token against the authorization server, you can set up these extra values using the
authorizationServer.introspectionRequest.extraBody
configuration, these values are going to be included in the body of the request so technically if your authorization server supports reading the key, issuer and audience from the body then you can make this work.// ..rest of config here.. "extensions": { "authentication" : { // ..rest of config here.. "authorizationServer": { // ..rest of config here.. "introspectionRequest": { // extra body to sent to the introspection request "extraBody": { "the-field-your-server-expectes-the-key-to-be-send": "the secret key" } } } } }
-
We are planning to use the middleware like this to achieve custom bearer authentication:
In this middleware, we will authenticate the incoming API requests against the JWT secret key, JWT Issuer and JWT Audience.
But what if we want to keep this bearer authentication for jsreport http API separate and Basic Authentication for the jsreport studio separate things? How to achieve this?
-
i am confused now, it seems that you just want to extend the existing authentication methods to support the Bearer + JWT secret key, JWT Issuer and JWT Audience
the
authorizationServer
options are needed when you have a specialized authorization server (like KeyCloak), but it seems to me that you don't have this (because you are looking to modify the jsreport middleware to support the Bearer)extending the existing authentication methods right now is not supported officially (there is no explicit api for that), but as you found you can likely make it work by using a middleware, i think you can put something like this in your middleware and it should be good.
jsreport.express.app.use('/api/report', (req, res, next) => { // check here if there is header with Bearer token, if not just call next // this will allow to keep supporting Basic authentication for the studio and http api if (!HAS_TOKEN) { return next() } if (AUTHENTICATION_PASS) { const user = { name: '<the name of a jsreport user related to this token'> } req.logIn(user, { session: false }, () => { req.context.user = user jsreport.logger.debug('API logging in user ' + user.name) next() }) } else { // in case of invalid authentication const authorizationError = jsreport.createError('Unauthorized', { statusCode: 401, code: 'UNAUTHORIZED', authorizationMessage: 'Unauthorized' // or a custom message if you like }) next(authorizationError) } })
if this works, be aware that this might just stop working in some future version if we see the need to change something in the internals of how the authentication works for us.
but i am opening issue to discuss adding api to extend authentication methods more easily and officially supported, subscribe there for updates when that happens.
-
For our existing microservices, we have implemented an auth guard/middleware and authenticated the incoming HTTP requests like this:
In your previous response, you said that the workaround for extending the existing authentication to support the Bearer might stop working in future versions.
If not this approach then how can we achieve the authentication with the parameters we have? If this can be achieved using jsreport.config.json then can you please elaborate in detail?
We want to have this Bearer authentication uniform across all our microservices including jsreport HTTP API. Our target is to achieve this Bearer authentication first. After this we will work on the jsreport studio authentication.
-
In your previous response, you said that the workaround for extending the existing authentication to support the Bearer might stop working in future versions.
If not this approach then how can we achieve the authentication with the parameters we have?
If this can be achieved using jsreport.config.json then can you please elaborate in detail?it can not be done with jsreport options right now, you will need to add this new bearer validation with the middleware we were talking about in the previous comment.
in the future if we change something about authentication and the workaround you are going to use with the middleware breaks it is likely there is going to be a migration available, likely in the future you will need to move the logic you create in the middleware and put it in the new api and that should be all needed.
-
Thanks! We will check this and update you.