I have created an REST API using xpages and this database is having Anonymous "Author Access". also OAuth Setup on the Azure. So the API consumer will use OAuth Url,client id,client secret and generate the Azure OAuth Token and call the public Xpages API Endpoint as shown below.
Like, I get the bearer access token and verify the azure token using Azure Discoverykeys URL.Is there another way i can protect this API using Azure API gateway or OAuth. Please note: this is server to server authentication and no user interaction is available.
<xe:restService pathInfo="locationupload">
<xe:this.service>
<xe:customRestService>
<xe:this.doPost><![CDATA[#{javascript:try {
var azureDiscoveryKeys="https://login.microsoftonline.com/tenentID/discovery/v2.0/keys";
var token="Zdl09gMtY3KGHVyQ7UNmoWUJl3DAm7XG9af3zU8Bgb-1gwjfaAvgeobTA";
var provider = new UrlJwkProvider(new URL(azureDiscoveryKeys));
var jwt = JWT.decode(token);
var jwk = provider.get(jwt.getKeyId());
var publicKey = (RSAPublicKey) jwk.getPublicKey();
var alg = Algorithm.RSA256(publicKey, null);
var verifier = JWT.require(alg).build();
verifier.verify(token);
System.out.println("Token is Valid");
}catch(JWTVerificationException ex) {
System.out.println(ex.getMessage());
} catch(JwkException ex) {
System.out.println(ex.getMessage());
} catch(MalformedURLException ex) {
System.out.println(ex.getMessage());
} catch(Exception e) {
e.printStackTrace();
}}]]></xe:this.doPost>
</xe:customRestService>
</xe:this.service>
</xe:restService>
Domino 12.0.2 can be configured to accept JWT token. Once configured your server needs to obtain the JWT from Azure and send it as Authorization Bearer header. Same applies to the Domino REST API.
A service provider (SP) doesn’t care how an access token is generated, so you probably don’t need an OAUTH dance, just Azure to Mixing a JWT
Just make sure, database has no anonymous access, so Domino handles the JWT check.