Authentication for the Cloud Administration REST APIs

Document created by RSA Information Design and Development on Sep 14, 2018Last modified by RSA Information Design and Development on Nov 16, 2018
Version 3Show Document
  • View in full screen mode

Clients calling Administration Event Log API or User Event Log API must authenticate themselves by including a JSON Web Token (JWT). Each request must contain a valid JWT in an HTTP Authorization header, as shown in this example:

Authorization: Bearer <JWT token>

Obtaining the API Key

The JWT is signed using an Administration API key. The Super Admin uses the Cloud Administration Console to generate the key, as described in Manage the Cloud Administration REST API Keys. Obtain this key from your Super Admin.

JSON Web Token (JWT)

The JWT consists of three parts:

  • JWT header
  • JWT claims
  • JWT signature

JWT Header

The type must be set to JWT and the RS256 algorithm must be used to sign the token. Other values are not supported and result in an HTTP 403 Authorization error.

{

"typ": "JWT",

"alg": "RS256"

}

JWT Claims

The following table lists standard JWT claims that must be present for authentication. All other claims are ignored.

                           
ClaimValue
sub Access ID value of Administration API key.
iatThe time when the JWT was created, specified in Unix Epoch time. Value must not be more than one hour in the past. The token must not be expired. A clock skew of plus or minus (+/-) 60 seconds is allowed.
exp Expiration time, in Unix Epoch time. Expiration time must not be in the past, and must not be more than one hour into the future. A clock skew of plus or minus (+/-) 60 seconds is allowed.
audAudience of the claim. Value must be the Log Events Base REST API URL.

The following example shows a sample JWT claims set.

{

"sub": "139f6495-e447-4a26-a765-5c01b6b152d5",

"iat" "1526273000",

"exp": "1526273493",

"aud": "https://access.securid.com/AdminInterface/restapi"

}

JWT Signature

A JWT signature must be completed with the RS256 algorithm, using the API Access Key.

Token Expiration

Tokens must expire one hour (or less) after they are issued, otherwise the request is rejected.

 

 

You are here
Table of Contents > Cloud Administration REST APIs > Authentication for the Cloud Administration REST APIs

Attachments

    Outcomes