How to map JWT token to specific REST service in webMethods IS

Hello Community
I am trying to explore & learn JWT configuration in webMethods IS. Looking at AG documentation, I was able to configure and generate JWT token using built-in jwt specific services.

Following is high level sequence of steps I performed:

  1. I configured Trusted Issuer in IS
  2. I mapped issuer to corresponding TrustStore , KeyStore and Certificate alias etc
  3. I did set Audience = “http://localhost:5555/restv2/” in Global Claim Settings section
  4. I generated JWT token using built-in service by specifying appropriate params

After performing above steps, I tried to invoke a REST service hosted on IS (actually a flow service exposed as REST) by using PostmanUI (specified JWT token as bearer token) and the JWT authentication took place successfully in IS.

However I am not sure how I can map a specific JWT token to any specific REST resource. For example if I have 2 different REST services hosted in IS and I want to use two different JWT tokens (one jwt token for each REST service) then how can I do that in webMethdos IS?

I know in case of OAuth token, we can achieve this by using different scopes for different services but I am not sure how we can map different JWT tokens to different REST services in IS?

Can some one in community please comment/guide me on this one? Can we map different JWT tokens to different services in IS?


If I understand correctly, you are looking to restrict access for a service/set of services for a particular user or a subject in a claim. A JWT token cannot be mapped to a particular service.

As an alternative, you could try defining a new ACL. Then create a group and link it to the ACL. Connect the ACL to a service by setting executeACL of a service to this new ACL.
Any user present in this group would have access to those folder/set of services. This user can be the sub claim in the JWT that you have generated.

Hope this makes sense to your use case, if not do reach out.


1 Like

Thanks Nagendra. Your suggestion sounds practical. I’ll try it out and revert with my findings

Sure, there are differences between the way OAuth and JWT works, getting the exact pattern might not be always possible and the security implications will be different too.
Best to evaluate and proceed.


This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.