webMethods: I am working 10 x webMethods version. External application wants to pass the JWT token under Authorization header but webMethods Intergration server rejects the request before invoking the service. Is there any possibility ? How to pass token in Authorization header and skip Integration server authentication and invoke the flow service. Currently facing Error: Integration Server rejected the request to access this resource.
When it is passed through a custom header it works but external application wants to pass the token only in Authorization header.
Please help with any possibility and provide any steps to achieve this.
Did you reconfigure ACL’s for the service you are invoking? From webMethods or any other backend server’s perspective, it doesn’t really matter where you pass the token or how you authorize. If you want to bypass IntegrationServer’s basic authentication, check the document below for details. You need to edit the Execute ACL so that it will allow unauthorized requests to that end point.
if your requirement is to straight away to skip the IS authentication then follow the step recommended by @engin_arlak
if your question is to not to change your Integration server authentication strategies and make your request success follow the approach which you already did as below.
Authenticate your request 1st with Integration server authentication credentials.
Receive external service credentials in custom header from source and pass the same from IS to the external destination in the authorization header on behalf of the source.
This makes sense since Authentication happens before Authorization. Please note that IS does have the ability to validate a JWT if that is a path you want to take. Refer Configuring Integration Server to Use JWT
If you have a service with anonymous execute ACL , you could also try not passing any credentials/header to invoke it.
Linking to similar discussion from a couple of years ago. You might find this interesting
As noted in the thread shared by @Nagendra_Prasad if the Authorization header is present, it must represent a valid user that IS knows about. Even if the service execute ACL is anonymous, IS will validate the Authorization data. If invalid/unknown, the call is rejected.
Naturally because there is no authentication being performed. The custom header is an meaningless/unused element for IS.
What is it that your IS component that they are calling needs them to send, if anything, for authentication? If your component does not need the caller to be authenticated/authorized for the service they are calling, then they need to NOT send the Authorization header. If the need is to pass the Authorization header through to another non-IS component, I’m not sure if that can be done without also defining in IS so that it can verify.
Yes we need to receive this token . The token is combination of Account details . so we need to extract few details from the JWT token. And the sender system is exchanging the data with many other systems so they cannot have a special code for sending in the custom Header.
To skip Integration Server authentication and invoke a flow service with a token, set the Authorization header with the token and review security policies for access permission.