restoauthjwtxpageslotus-domino

Issue with Anonymous access and 'Authorization' header on HCL Domino 12


There is a database which has anonymous access "Editor". Anonymous users can access one of the XPages REST API with "Authorization" header. This will have JWT token in the request header as mentioned below.

enter image description here

I read this Token on the server side and process. Recently we have upgraded our servers to Domino 12.0.1 from Domino 10 version. This API is not working and giving the login screen when we have "Authorization" Header. The anonymous access is not working for this page. If we remove the "Authorization" header from request, then anonymous access works.

I have checked the Domino configuration and not able to figure out why login screen coming. Some setting is checking the "Authorization" header and asking for login even though the anonymous access is "Editor".

I want to access this REST Api without login screen and should accept the "Authorization".


Solution

  • Domino 12 has native support for JTW authentication using an OIDC provider.

    This means that the Authorization header is natively handled by the Domino 12 HTTP stack so that you (unfortunately) can not access the Authorization header in your custom code.

    I suggest that you vote for this idea: https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-2405.