Authenticate against the 1E Platform and obtain a token

This page describes the interactive authentication and code samples that can be adapted by the customer while writing their own integration software.

It should also be understood that these pages will use {apiRoot} symbol for the Root of the Portal (not Consumer) API, as it is Portal API that deals with authentication requests. The root of that API will look like https://your.tachyon.server/Tachyon/api (for 9.X and 23.X) or https://your.tachyon.server/api for versions 24.1 and later. (note the word “Tachyon” is missing in 24.1 and later versions). It is assumed that the code contained on these pages will be adapted by configuring the {apiRoot} correctly and that any other configuration (like JWT certificates and user mapping) have also been carried out.

Authentication via IdP’s web page

Interactive authentication is performed via the IdP’s web page and requires username/password and few other steps to complete the authentication. This mode of authentication is the best option for the applications having a UI that allows the user to navigate to IdP’s page and where explicit authentication is not an issue.

Authentication using a JWT

Non-interactive authentication using JWT is performed in-code and does not require any usernames or passwords. This authentication mode can be used for applications where UI cannot display IdP’s login page or where such display would be an issue. It can also be used for service accounts or to group all (or some) users of an application behind a single (or several) accounts in the 1E Platform without having a one-to-one mapping between an IdP user and a 1E Platform principal.

Implementing interactive authentication

This page describes how to perform interactive authentication against the 1E Platform and your IdP in order to obtain a token.

How it works

Authentication process requires a secret (as explained in the later steps) to be created and has the following steps:

Initial request for authentication is made to the 1E Platform that returns state and a URL that needs to be called in order to perform authentication with the IdP
Visit the URL provided in the previous step and perform the required authentication
Poll for status change to establish in the background when the token is ready, or the process is failed
Upon successful authentication, retrieve the token

Before we begin

Authentication process requires a secret called a nonce. This is usually an array of random 32 bytes that should be created before the authentication process is started.

Once you have the array, you need to create two things:

A URL-safe Base64 encoded of the nonce. Let’s call this BASEDNONCE
A URL-safe Base64 encoded SHA256 of the nonce (you need to obtain SHA256 of the nonce and then Base64 encode it). Let’s call this HASHEDNONCE

The original nonce is not used afterwards and only those two values, BASEDNONCE and HASHEDNONCE are used.

It is strongly advised that nonce is randomized each time a new request is made, as reusing a nonce decreases security of the authentication process.

Authentication request

Initial request should be made to {apiRoot}/Authentication/RequestAuthentication and this request should have a query string parameter called ecpn. You should put the HASHEDNONCE as the value of the parameter.

This means that the initial request will look something like this:

https://your.tachyon.server/api/Authentication/RequestAuthentication?ecpn=e0bebd22819993425814866b62701e2919ea26f1370499c1037b53b9d49c2c8a

and you will receive something like this from the API as a response:

{
	"AuthenticationUrl": "https://login.microsoftonline.com/06c15aaf-bd3b-4eac-aac9-ef6e9ce805b0/oauth2/v2.0/authorize?response_type=code&prompt=login&client_id=9858ac43-555e-4500-9ccd-bac33e1ddfba&state=5PVOGbg0lh_Juj5P9D7dLAAhkY4N-f4KgXJ8jgH88dQ.ZDQ2ZDQyNDNjMTM3ZGZhY2YzNzNmYzBhOGFmYmYzNTNiZDJjNzU4OGVjNTQ0YTY4NTdjYjExOTljNjFhMGE1Ng.in_yI295_1yUC-nvqdHgIS_-3gOVVj9G4SANupo8JCdWoqaHb7iqYsPEJvqEKa0EzrualgWociVuL63HttqbN79bgy_ZRHXO3-EYBwn_JE6dvIckpOBkAKQghdMyCn4ctidAhnkIF0IER8pHI4aNuMVRa4_um7KILM4GwW36luVOEgP_3xpGrofgKp_dDHYFuJq6a216qok65_vGK_fzc6sES9pcau9axE-1DWZ2a_JTwXZy0K3xx38hx4oxSfb5cnFn-e1A0hP06In4dWImF6t_6Lawc06-Ya84vPUmg2SR45NwudUJamHdjsC_G_rqWIWi98aIOEqjJGJDZvOGNg&scope=openid&redirect_uri=https://your.tachyon.server:443/Portal/api/Authentication/IdentityProviderRedirect&code_challenge=h1oqLd3TmMmk82j_O72FIZWN_4vKFN9mEDXndQpLAdw&code_challenge_method=S256",
	"State": "5PVOGbg0lh_Juj5P9D7dLAAhkY4N-f4KgXJ8jgH88dQ.ZDQ2ZDQyNDNjMTM3ZGZhY2YzNzNmYzBhOGFmYmYzNTNiZDJjNzU4OGVjNTQ0YTY4NTdjYjExOTljNjFhMGE1Ng.in_yI295_1yUC-nvqdHgIS_-3gOVVj9G4SANupo8JCdWoqaHb7iqYsPEJvqEKa0EzrualgWociVuL63HttqbN79bgy_ZRHXO3-EYBwn_JE6dvIckpOBkAKQghdMyCn4ctidAhnkIF0IER8pHI4aNuMVRa4_um7KILM4GwW36luVOEgP_3xpGrofgKp_dDHYFuJq6a216qok65_vGK_fzc6sES9pcau9axE-1DWZ2a_JTwXZy0K3xx38hx4oxSfb5cnFn-e1A0hP06In4dWImF6t_6Lawc06-Ya84vPUmg2SR45NwudUJamHdjsC_G_rqWIWi98aIOEqjJGJDZvOGNg"
}

Examining the response to initial authentication request

The response you received contains two properties.

First is the authentication URL. You should take this URL and using your web browser, navigate to display the IdP login page.
Second property is called State. This identifies your request and you will need this to check what is happening with your request and to retrieve the token.

Authenticating against the IdP

Authentication against your IdP has to be done outside the bounds of the 1E Platform, as the IdP is an independent system. You can handle it however you like, but the process must be completed successfully in order for the authentication process to complete. As the IdP will call 1E Platform when you have successfully authenticated. If that call never comes, the token will not be issued.

Checking the status of your authentication request

After the authentication process has been initiated, you should start polling to check if it has completed.

You do that by calling GET on {apiRoot}/Authentication/CheckAuthenticationState while providing a payload with the state you have received in the response to the authentication request:

{
    "State" : "5PVOGbg0lh_Juj5P9D7dLAAhkY4N-f4KgXJ8jgH88dQ.ZDQ2ZDQyNDNjMTM3ZGZhY2YzNzNmYzBhOGFmYmYzNTNiZDJjNzU4OGVjNTQ0YTY4NTdjYjExOTljNjFhMGE1Ng.in_yI295_1yUC-nvqdHgIS_-3gOVVj9G4SANupo8JCdWoqaHb7iqYsPEJvqEKa0EzrualgWociVuL63HttqbN79bgy_ZRHXO3-EYBwn_JE6dvIckpOBkAKQghdMyCn4ctidAhnkIF0IER8pHI4aNuMVRa4_um7KILM4GwW36luVOEgP_3xpGrofgKp_dDHYFuJq6a216qok65_vGK_fzc6sES9pcau9axE-1DWZ2a_JTwXZy0K3xx38hx4oxSfb5cnFn-e1A0hP06In4dWImF6t_6Lawc06-Ya84vPUmg2SR45NwudUJamHdjsC_G_rqWIWi98aIOEqjJGJDZvOGNg"
}

Warning

Do not provide any other data with these requests. Specifically, do not provide BASEDNONCE as seen in the next paragraph. You can only attempt token retrieval once. If you don't do it correctly you will not be able to retrieve the token again and you will have to start the authentication process again.

The API will respond with following data:

{
  "Status":"AuthenticationRequested",
  "Data":""
}

The status can be one of following values:

AuthenticationRequested - means the authentication is still in progress but it hasn’t finished yet. Token isn’t ready and you should keep pooling
AuthenticationResultNotAvailable - this means this authentication attempt has failed and you will not be able to retrieve the token. You have to start a new authentication process. The system does not return a specific reason on purpose as a security measure
AuthenticationSuccessful - means the authentication has been successful and the token can be retrieved

Retrieving the token

Token is retrieved via the same endpoint you used to check the authentication state, but you have to also provide BASEDNONCE:

{
    "State" : "5PVOGbg0lh_Juj5P9D7dLAAhkY4N-f4KgXJ8jgH88dQ.ZDQ2ZDQyNDNjMTM3ZGZhY2YzNzNmYzBhOGFmYmYzNTNiZDJjNzU4OGVjNTQ0YTY4NTdjYjExOTljNjFhMGE1Ng.in_yI295_1yUC-nvqdHgIS_-3gOVVj9G4SANupo8JCdWoqaHb7iqYsPEJvqEKa0EzrualgWociVuL63HttqbN79bgy_ZRHXO3-EYBwn_JE6dvIckpOBkAKQghdMyCn4ctidAhnkIF0IER8pHI4aNuMVRa4_um7KILM4GwW36luVOEgP_3xpGrofgKp_dDHYFuJq6a216qok65_vGK_fzc6sES9pcau9axE-1DWZ2a_JTwXZy0K3xx38hx4oxSfb5cnFn-e1A0hP06In4dWImF6t_6Lawc06-Ya84vPUmg2SR45NwudUJamHdjsC_G_rqWIWi98aIOEqjJGJDZvOGNg"
    "Nonce": "your BASEDNONCE goes here"
}

If the data you have provided is correct you will receive the token:

{
  "Status":"AuthenticationSuccessful",
  "Data":"your token will be here"
}

Warning

You have only one attempt to retrieve the token. This means that for given state (for given request) the system will allow you to make precisely ONE call to {apiRoot}/Authentication/CheckAuthenticationState where your provide both State and Nonce. If you provide wrong data or make the call too early, you will not be able to retrieve the token and you will have to start a new authentication request.

What if something goes wrong?

Every API call response should be examined for errors. In most cases you will receive standard 1E Platform errors (see Handling errors returned by Tachyon for more details), but there might be situations where something else is returned.

Consumer SDK support

Currently Consumer SDK does not support authentication and you have to write you own code. We’re providing examples to help you with that.

Implementing interactive authentication - C# example

This page contains a code example written in C# that demonstrates interactive authentication. This code sample should be adapted by the customer when writing their own integration software.

Note

Any code given is without any warranty and is meant only for demonstration and is not production ready code. This means that the code has brevity omitted things like error and exception handling.

Expand for C# example

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;

namespace InteractiveAuthenticationClient
{
    public class Program
    {
        private const string ApiRoot = "https://your.tachyon.server.address/api/";
        private const string RequestAuthenticationEndpoint = "Authentication/RequestAuthentication?ecpn={0}";
        private const string CheckAuthenticationStateEndpoint = "Authentication/CheckAuthenticationState";
        
        static void Main(string[] args)
        {
            Console.WriteLine("Creating authentication nonce...");
            // Prepare nonce
            var nonce = CreateNonce(); // original nonce, never supplied to any api
            var basedNonce = ToUrlSafeBase64(nonce); // base64 encoded nonce, used when retrieving a token
            var hashedNonce = CreateSha256(nonce); // hash of the original nonce, never supplied to any api
            var basedHashedNonce = ToUrlSafeBase64(hashedNonce); // base64 encoded has of the nonce, to be supplied in the original authentication request
            using (var client = new HttpClient())
            {
                var endpoint = ApiRoot + string.Format(RequestAuthenticationEndpoint, basedHashedNonce);
                Console.WriteLine($"Calling {endpoint} to initiate authentication");
                AuthRequestResponse obj = Get<AuthRequestResponse>(client, endpoint);
                if (obj != null)
                {
                    if (!string.IsNullOrEmpty(obj.AuthenticationUrl))
                    {
                        Console.WriteLine($"Received authentication URL {obj.AuthenticationUrl} and state {obj.State}. Opening web browser for the user to complete authentication process.");
                        OpenBrowser(obj.AuthenticationUrl);
                        string token = LoopForToken(obj.State, basedNonce);
                        if (token != null)
                        {
                            Console.WriteLine($"Token retrieved: {token}");
                        }
                        else
                        {
                            Console.WriteLine("Token could not be retrieved. Please try again.");
                        }
                    }
                }
            }
        }

        private static string LoopForToken(string objState, string basedNonce)
        {
            var continueLoop = true;
            string retVal = null;
            var endpoint = ApiRoot + CheckAuthenticationStateEndpoint;
            using (var client = new HttpClient())
            {
                while (continueLoop)
                {
                    var payload = new AuthenticationCheckRequestPayload
                    {
                        State = objState
                    };
                    var result = Post<AuthenticationEvent, AuthenticationCheckRequestPayload>(client, payload, endpoint);
                    if (result != null)
                    {
                        switch (result.Status)
                        {
                            case "AuthenticationResultNotAvailable":
                            {
                                // There's an issue with the request. Either the state is incorrect or you tried to retrieve the token incorrectly or it already has been redeemed.
                                // You will need to initiate new authentication request as you cannot continue with this one.
                                Console.WriteLine("Something went wrong during the authentication process. Please start a new authentication process.");
                                continueLoop = false;
                                break;
                            }
                            case "AuthenticationRequested":
                            {
                                Console.WriteLine("Authentication process is still in progress. Will try again in a few seconds.");
                                Thread.Sleep(2000);
                                // Authentication request is still being processed.
                                break;
                            }
                            case "AuthenticationSuccessful":
                            {
                                Console.WriteLine("Authentication process has finished. Retrieving token...");
                                // Authentication has been successful and token can be retrieved.
                                var payload2 = new AuthenticationCheckRequestPayload
                                {
                                    State = objState,
                                    Nonce = basedNonce
                                };
                                var result2 = Post<AuthenticationEvent, AuthenticationCheckRequestPayload>(client, payload2, endpoint);
                                if (result2 != null)
                                {
                                    retVal = result2.Data;
                                }
                                else
                                {
                                    Console.WriteLine("Failed to retrieve token.");
                                }

                                continueLoop = false;
                                break;
                            }
                        }
                    }
                    else
                    {
                        Console.WriteLine("Call to retrieve authentication request has failed.");
                        continueLoop = false;
                    }
                }
            }

            return retVal;
        }

        private static byte[] CreateSha256(byte[] buffer)
        {
            using (var sha256 = new SHA256CryptoServiceProvider())
            {
                return sha256.ComputeHash(buffer);
            }
        }

        private static byte[] CreateNonce()
        {
            byte[] nonce = new byte[32];
            Random rand = new Random();
            rand.NextBytes(nonce);
            return nonce;
        }

        private static string ToUrlSafeBase64(byte[] arg)
        {
            var Base64PadCharacter = '=';
            var Base64Character62 = '+';
            var Base64Character63 = '/';
            var Base64UrlCharacter62 = '-';
            var Base64UrlCharacter63 = '_';

            var s = Convert.ToBase64String(arg);
            s = s.Split(Base64PadCharacter)[0]; // RemoveAccount any trailing padding
            s = s.Replace(Base64Character62, Base64UrlCharacter62); // 62nd char of encoding
            s = s.Replace(Base64Character63, Base64UrlCharacter63); // 63rd char of encoding

            return s;
        }

        public static void OpenBrowser(string url)
        {
            try
            {
                Process.Start(url);
            }
            catch
            {
                // hack because of this: https://github.com/dotnet/corefx/issues/10361
                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
                {
                    url = url.Replace("&", "^&");
                    Process.Start(new ProcessStartInfo("cmd", $"/c start {url}") { CreateNoWindow = true });
                }
                else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
                {
                    Process.Start("xdg-open", url);
                }
                else if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
                {
                    Process.Start("open", url);
                }
                else
                {
                    throw;
                }
            }
        }

        private static T Get<T>(HttpClient client, string url)
        {
            var result = client.GetAsync(url).Result;
            if (result.IsSuccessStatusCode)
            {
                var data = result.Content.ReadAsStringAsync().Result;
                if (!string.IsNullOrEmpty(data))
                {
                    T obj = JsonSerializer.Deserialize<T>(data);
                    if (obj != null)
                    {
                        return obj;
                    }
                }
            }

            return default;
        }

        private static TOut Post<TOut, TIn>(HttpClient client, TIn payload, string url)
        {
            var stream = new MemoryStream();
            JsonSerializer.Serialize(stream, payload);
            stream.Seek(0, SeekOrigin.Begin);
            var reader = new StreamReader(stream);
            var serializedPayload = reader.ReadToEnd();
            reader.Close();
            stream.Close();
            var content = new StringContent(serializedPayload, Encoding.UTF8, "application/json");
            var result = client.PostAsync(url, content).Result;
            if (result.IsSuccessStatusCode)
            {
                var data = result.Content.ReadAsStringAsync().Result;
                if (!string.IsNullOrEmpty(data))
                {
                    TOut obj = JsonSerializer.Deserialize<TOut>(data);
                    if (obj != null)
                    {
                        return obj;
                    }
                }
            }

            return default;
        }

        private static string Post<TIn>(HttpClient client, TIn payload, string url)
        {
            var stream = new MemoryStream();
            JsonSerializer.Serialize(stream, payload);
            stream.Seek(0, SeekOrigin.Begin);
            var reader = new StreamReader(stream);
            var serializedPayload = reader.ReadToEnd();
            reader.Close();
            stream.Close();
            var content = new StringContent(serializedPayload, Encoding.UTF8, "application/json");
            var result = client.PostAsync(url, content).Result;
            if (result.IsSuccessStatusCode)
            {
                return result.Content.ReadAsStringAsync().Result;
            }

            return default;
        }

        private class AuthRequestResponse
        {
            public string AuthenticationUrl { get; set; }
            public string State { get; set; }
        }

        private class AuthenticationCheckRequestPayload
        {
            public string State { get; set; }
            public string? Nonce { get; set; }
        }

        private class AuthenticationEvent
        {
            public string Status { get; set; }

            public string Data { get; set; }
        }
    }
}

Implementing non-interactive (JWT) authentication

This type of authentication is useful for external applications created by systems integrators that need to interact with various platform components without using interactive browser-based authentication.

How it works

Authentication is performed based on having access to the private key of a certificate. This can be a self-signed certificate; it does not need to be issued by a trusted Certification Authority. The trust is managed by uploading the public key of the certificate to the Identity Provider you are using. The private key needs to be accessible to the local application that wants to communicate with the Platform.

In the diagram below, you can see at the left-hand side how the private key of the certificate is available to the External Integration subsystem (the application that wants to call the Platform APIs) while at the right-hand side the public key is available to the Identity Provider (abbreviated as IdP in the following text).

In an IdP such as Azure Active Directory, the association of the private key to the IdP is configured by the intermediation of something called a “Registered application” which allows for configuration of an item at the IdP where you assign permissions for external applications.

When the External integration subsystem wants to connect to the Platform, the flow of information is as follows:

The External integration subsystem generates a JWT. This is a string of text that encodes the identity of the user and is cryptographically signed. The signature is done with the private key of the certificate.
The JWT is sent to an endpoint in the Platform.
The platform verifies the JWT locally and only when it is satisfied with local verification it sends the JWT to the IdP, which is able to verify the signature thanks to the public key of the certificate.
If the IdP is able to verify that the signature is correct, it notifies the Platform.
In the next step, the Platform generates a token and returns it to the integration subsystem.

The Tachyon Token has a limited lifetime. If it is used after its expiration, the API will return a 401 (Access Denied) status to the caller. Contrary to an interactive login, the tokens acquired through the non-interactive process cannot be refreshed. This means that the caller will need to repeat all the previous steps to acquire a new Tachyon Token and then retry the operation using the new token.

Because you are using essentially a certificate to authenticate, the system cannot automatically determine who is authenticating, only that the have a valid “key” (certificate) and supplied correct data.

In order to determine which user is being authenticated, each certificate is mapped to either a specific user or a number of users (via explicit mappings or a wildcard-style mapping). This means that if you plan on authenticating multiple users via JWTs, you have the flexibility of using either one or multiple certificates.

Configuration

Prior to using this feature, your Platform installation must be configured correctly in order for JWT authentication to work.

While creation of a certificate and installing it inside your IdP is outside the bounds of this article and will depend somewhat on your IdP, as steps for Azure will be different to those for OKTA, we’d like to outline general modus operandi.

You will need a certificate that you can use with your IdP, be that a self-signed certificate or one obtained from a trusted source. As mentioned above, if you are planning on authenticating multiple users, please consider whether you wish to use multiple certificates or not.

Any certificates you wish to use need to be installed in your IdP and the application you wish to use for authentication has to have access to those certificates in order for the IdP to be able to validate incoming requests.

Your organisation may have already pre-configured an authentication application which they wish to use for certificate authentication. In this case, you will access the application whose Client Id has been specified, and ensure that certificates have been associated with that application.

Alternatively you may wish to create a new authentication application that is to be used for exclusively certificate authentication.

In either case, you must ensure that the Platform’s tenant configuration has the ‘clientassertionappid’ member set to the client Id of the authentication application you wish to use and that any certificates you want to use are associated with the application and that the application has access to those certificates.

When you authenticate using a certificate, you will be mapped to a Principal. That Principal’s permissions will then control your rights on the Tachyon Platform.

Certificate mapping is set up using the Tachyon PowerShell toolkit to add mapping entries. Each mapping entry associates a certificate with a desired principal.

You can also set up ‘wildcard’ mappings, which allow a certificate to map to any Principal. This is a privileged operation and should be used with caution, as it allows the certificate owner to operate as any platform Principal.

Alternatively you can map the same certificate multiple times, each time to a different Principal. This allows the certificate owner to request access as any of the mapped Principals. This can be useful if you want the same certificate to be useable in different user contexts.

The process is explained in detail here ADD LINK

Authentication steps

A JWT has a header and a body. The header and body are encoded in base 64 separately and combined using a period (.) to create a representation suitable for placing in a request header.When signed, the signature (which signs the header plus the body as a whole) is appended as a third chunk of base 64, again separated by a period. This means that a proper JWT request has three parts separated by '.' characters like so: header.body.signature.

Internally, these pieces are encoded as a JSON object. If you were to generate them as classes in C# they would look like this:

header = new JwtHeader()
              {
                  alg = "RS256",
                  typ = "JWT",
                  x5t = thumbprint,
                  kid = thumbprint
              };
body = new JwtBody()
              {
                  aud = clientAssertionAudience,
                  exp = ((DateTimeOffset)DateTime.UtcNow + TimeSpan.FromSeconds(3600)).ToUnixTimeSeconds().ToString(),
                  iss = clientAssertionIssuer,
                  sub = clientAssertionSubject,
                  jti = Guid.NewGuid().ToString()
              };

The header members x5t and kid are typically set to the base64-encoded thumbprint of the certificate used to sign the JWT. This allows the receiving identity provider to know which certificate to use when validating the JWT. The Platform will accept any arbitrary value for the kid without requiring it to match the thumbprint of the certificate. This “kid” value is the one you will map to a Principal in Tachyon using the KidToUpnMapping table.

The body members are as follows:

aud - Audience - this is usually set to the URL of the IdP's token issuing endpoint.
exp - Expiry - expiration timestamp for the JWT, defined in Unix Epoch seconds
iss - Issuer - this is usually set to the Application Id in the IdP that will handle the client assertion grant flow and validate the JWT.
sub - Subject - The subject is usually set to be the same as the issuer
jti - This is just a random GUID to make each JWT unique; good practice requires that it be set freshly each time a JWT is created
iat - Issued At - This timestamp allows potential validation that the JWT is no more than a short time period old, for additional security hardening.
Tachyon.upn - and body optional field (not shown in the example above) that allows you to specify which Principal you would like to authenticate as in cases where a single certificate can be used for multiple Principals.

Each of these members is known as a 'claim'. There is another reserved claim which is not included in this JWT and not required by IdPs normally. This is 'nbf' which is a timestamp before which the JWT is not valid.

The standard also allows custom claims to be added. There is a custom claim that we add if you want to be a specific principal (needed if the kid mappings allow it), which is Tachyon.upn. The code sample at the bottom mentions where to add it.

For the aud parameter, an external integration script can determine the IdP token issuing endpoint by making a GET request to the <server>/api/Authentication/MetadataEndpoint endpoint. This will return the openId metadata endpoint for the configured IdP. This endpoint is unsecured and allows any IdP consumer to determine all of the endpoints that the IdP supports - the token issuing endpoint will be among these. The integration script, having retrieved the metadata endpoint, queries this to in turn retrieve the token issuing endpoint it needs to fill in the JWT it is going to submit.

Once you have the JWT you should sign it using appropriate certificate. You can do that programmatically using whatever programming language of your choice. Here is an example for how you would do it using PowerShell:

function GetSignedClientAssertion($jwt, $certificate)
{
$jwtHdr = getJwtHdr (ToBase64Url $certificate.GetCertHash())
$jwtHdrJson = convertto-json $jwtHdr
$jwtHdrBytesEncoded = ToBase64UrlString $jwtHdrJson
 
$jwtJson = convertto-json $jwt
$jwtBytesEncoded = ToBase64urlString $jwtJson
 
$token = $jwtHdrBytesEncoded + "." + $jwtBytesEncoded 
return GetSignedAssertion $token $certificate
}

function GetSignedAssertion($assertion, $certificate)
{
$rsa = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($certificate)
$assertionBytes = [System.Text.Encoding]::UTF8.GetBytes($assertion)
$padding = [System.Security.Cryptography.RSASignaturePadding]::Pkcs1
$signature = $rsa.SignData($assertionbytes, "SHA256", $padding)
$signatureEncoded = ToBase64Url $signature
$signedClientAssertion = $assertion + "." + $signatureEncoded
return $signedClientAssertion
}

Remember that contrary to tokens obtained via interactive authentication, tokens obtained through JWT non-interactive authentication cannot be refreshed. Normally you will submit a JWT with an expiry time one hour into the future and you will receive a token with a lifetime of approximately one hour (this can be subject to variations depending on the IdP used and its settings).

Because the token you obtained using JWT cannot be refreshed, when it expires you need to repeat the cycle, generating a new JWT and resubmitting it to the RequestJwtAuthentication endpoint to acquire a new token.

Note

If you wrap token retrieval in a function that checks that the token is still valid, you can make this process transparent to the rest of your code, because then the retrieval function can automatically perform the request for a fresh token on behalf of your code.

Non-interactive authentication - Principal to certificate mapping

This page discusses how to manage certificate to principal mapping using the PowerShell Integration Toolkit.

About certificate to principal mapping

Platform-neutral authentication relies on certificates for external integration subsystems to authenticate to the 1E Platform. These certificates are used to sign Json Web Tokens (JWTs) which can then be verified by the IdP.

The 1E platform allows certificates to be mapped to Principals. A set of PowerShell cmdlets allows the user to set up and manage mapping entries.

Please note while you could use another language to perform this task as it is essentially all about sending right data to certain API endpoints, it is strongly advised to use Powershell toolkit published by 1E as it contains all the cmdlets required to perform these tasks.

Connecting to the platform

You cannot use certificate authentication to connect to the target platform until you have set up principal mappings. Consequently, to set these up you will connect to the target platform using interactive authentication. You will be prompted for credentials by the configured platform Identity Provider. These must correspond to a user in the platform with the appropriate privileges to manage mappings - typically, a full platform administrator.

To connect to the target platform, run the set-1eserver cmdlet from the PowerShell toolkit. You must first ensure that the toolkit is loaded. You need only do this once in a session.

Assuming you are in the folder into which the toolkit files were copied:

import-module .\ps1etoolkit.psd1 -force

Then connect to the platform server:

set-1Eserver <server name>

You can then run the cmdlets discussed below to set up certificate mappings. For example, auth4ui2.platformeng.cloud.1e.com You can then run the cmdlets discussed below to set up certificate mappings.

You use the get-1ecertificatethumbprint to list all certificates in a specified store. The ‘Kid’ property is the thumbprint represented in base-64 URL-safe encoding. You use this property to represent a certificate when setting up a mapping.

We can see here the certificate we want to set up a mapping for and its ‘Kid’ property.

If you are generating your own JWT tokens, you can use any arbitrary string for the ‘kid’ field. Although you would typically set it to match the certificate thumbprint, the 1E platform does not actually require this. When creating the mapping, use whatever value you are using for your kid field, regardless of whether it matches the certificate thumbprint or not.

Note

You must be authenticated as a principal with appropriate rights in order to perform these operations, typically Full Administrator.

You use the add-1ejwtprincipalmapping cmdlet to add a mapping. We map the certificate highlighted above to the principal Darth.Vader@corellianengineering.onmicrosoft.com.

Having set up this mapping, any time an external integration subsystem uses the above certificate to authenticate, it will retrieve a token for the above principal and have all the permissions that the principal has in the 1E platform environment.

Note

You cannot add groups as principals. You must add specific user principals. However a user principal need not be directly represented in the 1E platform RBAC system. If any group or groups of which the principal is a member exists in the platform’s RBAC database, then the permissions of the group or groups are applied.

RBAC checks are made when the signed JWT is presented for validation, not at the time of creating a mapping. Therefore, authentication may fail if the principal you have mapped to does not have rights in the platform’s RBAC either directly or via group membership, at the time of authentication.

Advanced principal mapping options

You can specify a wildcard principal name ( * ) instead of a specific principal. This will allow the external integration subsystem to specify what user principal it wishes to act as, when authenticating. It does this by adding a ‘Tachyon.upn’ member to the body of the JWT it submits.

Warning

Do not use this option in production environments. If the associated certificate were exfiltrated, it could be used to authenticate as any user on the platform. This is, however, a handy setting in lab environments as it lets you easily authenticate as any principal, non-interactively, which can be handy for test purposes.

Verifying mappings

You can use the 1E PowerShell toolkit to verify that your mappings are correctly set up. To do this, you need the application Id of the Identity Provider app configured to perform authentication and the subject of the signing certificate to be used. Your account on the endpoint on which you are running must have access to this certificate in the local machine certificate store, and it must have rights to retrieve the private key of this certificate.

Note

The application Id you require will be configured in the tenant’s configuration on the platform.

This is found either in the ClientAssertionAppId setting, or, if this is empty, the DirectoryAppId setting.

You should also be able to find this Id in your IdP as it will be the Id of the application you have configured for JWT authentication.

If you have set up a single mapping row to a fixed principal, then you can connect with the command:

set-1Eserver -AppId <appid> -Certsubject <cert subject>

You can add the optional parameter:

-informationaction continue

if you want to receive detailed logging information as the operation is performed.

If you have set up multiple mapping rows for the same certificate, associating it with multiple principals, then you can connect with the command:

set-1Eserver -AppId <appid> -Certsubject <cert subject> -Principal <principal>

Where <principal> corresponds to one of the principals you have set up in the mapping table.

You can view the returned token with:

get-1Eauthtoken -decode

Using a dedicated identity provider application for external integration

The installation process currently assumes that you will share the identity provider application that the platform uses for directory search operations, for external integration.

In some cases, you may prefer to set up a dedicated identity provider application for external integration. This allows to restrict the permissions of that application. If a consumer were to obtain an identity provider bearer token directly from the directory search application, that bearer token would allow the consumer to read users, profiles and groups.

If you wish to control these permissions, they can set up a third application in their identity provider. They do this exactly as they do for the directory search application, but they can then choose that this application has only the default permissions, or customise accordingly.

When a JWT is submitted to the 1E platform, the application identity to which it will be forwarded within the identity provider is checked against two settings in the tenant configuration.

Normally only one of these settings is configured. In the example below, the directoryappid setting corresponds to the application id which is used by the platform for directory searches. It will also be shared for external integration.

              "DirectoryAppId": "0c83091d-fc2f-40b5-8aca-940e4cf5f9b5",
              .........
              "ClientAssertionAppId": null,

When the JWT is submitted, the 1E platform confirms that the application id in the JWT matches the DirectoryAppId setting and then, if so, forwards the JWT to the identity provider for validation.

This check is made to prevent an attacker from submitting a JWT signed by an identity provider they control, instead of the expected identity provider.

If the platform did not verify the application Id, it would be possible to forward the JWT to an external attacker-controlled identity provider which would validate it, and then in turn the platform, believing the JWT to be valid, would return an internal token to the caller.

Specifying a dedicated identity provider application for external integration

To specify a separate application for external integration, you should set the ClientAssertionAppId member of the tenant’s configuration to the separate application Id.

That way the JWTs submitted to the platform are checked against this application Id. Only JWTs specifying the new application Id are then passed to the identity provider. A JWT which specifies the shared directoryappid value will now be rejected and cannot be used for external integration.

Note

It is strongly recommended that you set up a dedicated identity provider application if possible. Doing so means that the bearer token returned by this application has only minimal privileges.

If you share the directory search application for external integration, then the bearer token returned by the identity provider will have the rights to read your user and group information from the identity provider (although it will not be able to change this information).

An external caller who can negotiate the oAuth grant flow directly with the identity provider can therefore obtain this bearer token directly. When you configure a dedicated application for external integration, you need not give the application any privileges as the bearer token returned is only used by the platform to verify the caller’s identity. This means that any external caller who obtains this bearer token will have no privileges within the identity provider itself.

Implementing non-interactive (JWT) authentication - C# example

The code sample below is a complete Console application that compiles under the .NET Framework version 4.8.

Note

This is simplified for illustration. It is not production-ready code. Among other things, it lacks any error-checking for simplicity.

When the code does “Base64” it is actually doing what is commonly called “Url-Safe Base64”. This replaces some characters used by standard Base64 because they are not compatible with the character set allowed in a URL.

Before starting

Remember to configure the four constants at the top:

ApplicationId is the identifier for the Application that you added under your Azure portal for the purpose of doing non-interactive authentication. For testing or preproduction, you can use here the same application Id that you are using for Directory Access. However, for production you will want to use here a separate application with no permissions on your Azure Active Directory.

MetadataEndpoint is the endpoint in Azure that you call for getting the metadata for your application.

TachyonServer is the base address of your Tachyon server. Only the server – do not append the name of the Site and do not add a slash at the end.

CertificateThumbprint is the Thumbprint of the certificate that you are using to authenticate the calls made by your external application into Tachyon. This is the same certificate whose public key you have authorised to access ApplicationId. Remember to grant access on the private key to the user who will be executing the sample application. Also, remember that it needs to be mapped to a Tachyon user through the KidToUpnMapping. This sample program does not allow mapping one certificate to multiple users; to do this, you need to add the Tachyon.upn member to the JWT (see the comment in the code).

namespace ExternalIntegrationUsingJwt
{
    using System;
    using System.Net;
    using System.Net.Http;
    using System.Security.Cryptography;
    using System.Security.Cryptography.X509Certificates;
    using System.Text;
    using System.Threading;
    using System.Web.Script.Serialization;

    internal class Program
    {
        private const string TachyonConsumer = "your consumer name here"; // Your registered Consumer should go here
        private const int ExpirationSeconds = 3600;

        // Configure the following values:
        private const string ApplicationId = "8983091d-fc2f-40b5-8aca-940e4cf5f9b5";
        private const string MetadataEndpoint = "https://login.microsoftonline.com/89f2b2d5-56db-4d75-86d1-b64974bd35bd/v2.0/.well-known/openid-configuration";
        private const string TachyonServer = "https://your.tachyon.server";
        private const string CertificateThumbprint = "998c12e4de7c5f39b90244d0766fa5b2965d1523";

        static void Main(string[] args)
        {
            // This is the code that obtains a Tachyon Token
            string signedJwt = GetSignedJwt();
            //string tachyonAuthEndpoint = TachyonServer + "/Tachyon/api/Authentication"; // for versions earlier than 24.1
            string tachyonAuthEndpoint = TachyonServer + "/api/Authentication";
            string tachyonToken = PostPayloadToTachyonAuthEndPoint(Quotify(signedJwt), tachyonAuthEndpoint);
            Console.WriteLine($"Got TachyonToken: {tachyonToken}");

            // This is an example for how we would use the token to invoke a Tachyon API
            //string exampleApi = TachyonServer + "/Tachyon/api/Permissions/WhoAmI"; // for versions earlier than 24.1
            string exampleApi = TachyonServer + "/api/Permissions/WhoAmI";
            string response = GetFromApi(exampleApi, tachyonToken);
            Console.WriteLine($"\nResponse from API: {response}");
        }

        private static string GetSignedJwt()
        {
            X509Certificate2 cert = GetCertFromLocalStore(CertificateThumbprint);
            string upn = null; // This version is not currently adding the UPN to the JWT
            string tokenEndpoint = GetTokenEndpoint();
            return GetAuthToken(cert, upn, tokenEndpoint, ApplicationId);
        }

        private static string GetAuthToken(X509Certificate2 cert, string upn, string tokenEndpoint, string appId)
        {
            var token = GetJwt(tokenEndpoint, appId, appId, upn);
            var signedToken = GetSignedClientAssertion(token, cert);
            return signedToken;
        }

        private static string GetSignedClientAssertion(string jwtJson, X509Certificate2 certificate)
        {
            var jwtHdrJson = GetJwtHdr(ToBase64Url(certificate.GetCertHash()));
            var jwtHdrBytesEncoded = ToBase64UrlString(jwtHdrJson);

            var jwtBytesEncoded = ToBase64UrlString(jwtJson);

            var token = jwtHdrBytesEncoded + "." + jwtBytesEncoded;

            return GetSignedAssertion(token, certificate);
        }

        private static string GetSignedAssertion(string assertion, X509Certificate2 certificate)
        {
            var rsa = RSACertificateExtensions.GetRSAPrivateKey(certificate);
            var assertionBytes = System.Text.Encoding.UTF8.GetBytes(assertion);
            var signature = rsa.SignData(assertionBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
            var signatureEncoded = ToBase64Url(signature);
            var signedClientAssertion = assertion + "." + signatureEncoded;
            return signedClientAssertion;
        }

        private static string GetJwtHdr(string thumbprint)
        {
            string jwtHdr = "{" + $"\"alg\":\"RS256\",\"typ\":\"JWT\",\"x5t\":\"{thumbprint}\",\"kid\":\"{thumbprint}\"" + "}";
            return jwtHdr;
        }

        private static string GetJwt(string audience, string issuer, string subject, string upn)
        {
            var timestamp = (ToUnixTimestamp(DateTime.UtcNow));
            var exptimestamp = timestamp + ExpirationSeconds;
            string jwtBody = "{" + $"\"aud\":\"{audience}\",\"iat\":\"{timestamp}\",\"exp\":\"{exptimestamp}\",\"iss\":\"{issuer}\",\"sub\":\"{subject}\",\"jti\":\"{Guid.NewGuid()}\"" + "}";
            // Add "Tachyon.upn" if using a single certificate for multiple users
            return jwtBody;
        }

        private static string ToBase64Url(byte[] buf)
        {
            var base64buf = Convert.ToBase64String(buf);
            base64buf = base64buf.Replace("=", "");
            base64buf = base64buf.Replace("+", "-");
            base64buf = base64buf.Replace("/", "_");
            return base64buf;
        }

        private static string ToBase64UrlString(string buf)
        {
            var bufBytes = Encoding.UTF8.GetBytes(buf);
            return ToBase64Url(bufBytes);
        }

        private static long ToUnixTimestamp(DateTime datetime)
        {
            var epoch = new DateTime(1970, 1, 1, 0, 0, 0);
            var seconds = Math.Truncate(datetime.ToUniversalTime().Subtract(epoch).TotalSeconds);
            return Convert.ToInt64(seconds);
        }

        private static string Quotify(string s)
        {
            return $"\"{s.Replace("\\", "\\\\").Replace("\"", "\\\"")}\"";
        }

        private static string PostPayloadToTachyonAuthEndPoint(string payload, string tachyonAuthEndpoint)
        {
            using (HttpClient client = new HttpClient())
            {
                client.DefaultRequestHeaders.Add("X-Tachyon-Consumer", TachyonConsumer);

                string endpoint = tachyonAuthEndpoint + "/RequestJwtAuthentication";
                var result = client.PostAsync(endpoint, new StringContent(payload, Encoding.UTF8, "application/json"), CancellationToken.None).Result;
                string response = result.Content.ReadAsStringAsync().Result;
                return response;
            }
        }

        private static X509Certificate2 GetCertFromLocalStore(string thumbprint)
        {
            X509Certificate2 cer = null;

            // Assume certs are always in Personal store of local machine
            using (var store = new X509Store("My", StoreLocation.LocalMachine))
            {
                store.Open(OpenFlags.ReadOnly);
                var cers = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
                if (cers.Count > 0)
                {
                    cer = cers[0];
                }
                else
                {
                    store.Close();
                    throw new Exception($"Could not find certificate with thumbprint={thumbprint}");
                }

                store.Close();
            }

            return cer;
        }

        private static string GetFromApi(string endpoint, string tachyonToken)
        {
            using (HttpClient client = new HttpClient())
            {
                client.DefaultRequestHeaders.Add("X-Tachyon-Consumer", TachyonConsumer);
                client.DefaultRequestHeaders.Add("X-Tachyon-Authenticate", tachyonToken);

                var result = client.GetAsync(endpoint, CancellationToken.None).Result;
                string response = result.Content.ReadAsStringAsync().Result;
                return response;
            }
        }

        private static string GetTokenEndpoint()
        {
            var wc = new WebClient();
            string metadata = wc.DownloadString(MetadataEndpoint);
            JavaScriptSerializer js = new JavaScriptSerializer();
            MetaData deserialized = js.Deserialize<MetaData>(metadata);

            return deserialized.token_endpoint;
        }

        private class MetaData
        {
            public string token_endpoint { get; set; }
        }
    }
}

Implementing non-interactive (JWT) authentication - Python example

This page shows some sample Python code to perform non-interactive authentication to the platform. This code will sign a JWT, present it to the platform, receive an authentication token and then call the /devices endpoint to retrieve a list of all devices that are known to the platform as an example API call.

Setting up the environment

Note

While this material is covered on the parent page, it is included here for convenience, so that if you are implementing a Python integration project everything you need to know is on this page.

To run this example code, it is assumed that you have access to a platform server. You must have defined an external integration application Id on the associated identity provider instance. You need a self-signed certificate, which you can create by using PowerShell e.g

new-selfsignedcertificate -subject CN=Integration

There is no significance to the subject, it can be anything you wish. This will create the certificate in the local machine personal certificate store.

Export the certificate using the certlm.msc utility and specify that the private key is to be exported. Specify a password. In the sample code this is Password. You will export to a .PFX file. In the sample code this file is called integrate.pfx

Note

In a SaaS environment you can choose to retrieve the certificate from the Azure Key Vault. A snippet of Python code to do this is included in the appendix below. In the example code, the certificate is retrieved directly from the PFX file.

Export the certificate a second time but this time specify not to include the private key. This should create a .CER file with just the public key. Ensure that the public key is uploaded to the application on your identity provider that is used for external integration.

In the example code below, this application Id is configured in the line:

idpAppServiceClientId = "0c830a1d-fc2f-40b5-8aca-940e4cf5f9b5"

Change this to match the application Id of the application that is configured on your identity provider.

Note

The platform does not require that this application have any permissions on the identity provider itself.

Ensure that the platform server is configured to use this application for external integration. This corresponds to setting the ClientAssertionAppId property in its tenantconfig.json file as shown below, where the application Id is the above configured external integration app id.

......
"ClientAssertionAppId": "0c830a1d-fc2f-40b5-8aca-940e4cf5f9b5",
......

Configure the sample code to connect to the platform server.

platformServer = "https://your.platform.server"

The platform needs to know the principal that the JWT will map to, since it will issue a token for this principal. To set up the mapping:

Use the 1E PowerShell toolkit to interactively authenticate to the platform using a principal with Full Administrator rights. In the example code the platform server is https://tachyonrts.urth.local so the command will be:

set-1eserver your.platform.server

Get the ‘kid’ value for the JWT signing certificate by using the cmdlet:

get-1ecertificatethumbprint -storename localmachine\my

Use the add-1ejwtprincipalmapping cmdlet to add a mapping

add-1ejwtprincipalmapping

When prompted for an identifier, paste in the ‘kid’ from the previous step.

When prompted for a principal, enter the principal name that you wish the kid to map to.

Note

With this single mapping, the example code as written will acquire a token for that principal.

As noted in the code, it is possible to map a single certificate kid to multiple principals if desired. If you do this, then the custom JWT claim that is commented out in the example code must be included so that the calling code can indicate to the platform which principal it wishes to act as.

Note also that a single identity provider application configured for external integration can alternatively have multiple certificate public keys uploaded to it. In that scenario, you set up mappings as above for each ‘kid’ associated with those certificates. In this case each certificate maps independently to one or more principals. This gives you great flexibility in setting up external integration subsystems and managing their permissions.

Once you have completed this step, you should be able to run the sample code. A screenshot of an example lab run is included below.

import jwt
import datetime
import base64
import hashlib
import uuid
from cryptography.hazmat.primitives.serialization import pkcs12
import json
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import padding
import requests

import warnings
warnings.filterwarnings("ignore")  # this is just to suppress the warnings about overriding SSL trust for a lab platform where Python's cert store doesn't have a CA root cert imported.


TrustPlatformServer = False #allows us to call a platform server (e.g in a lab) where the Python cert store doesn't have a CA root cert establishing an SSL trust chain. Otherwise set to True

# This just loads the cert from a local Pfx file. Alternatively you can load the cert from the Azure Key Vault

def LoadCertFromPfx(pfx, password):
	with open(pfx, "rb") as pfxFile:
		pfxBinData = pfxFile.read()
		return pkcs12.load_key_and_certificates(pfxBinData, password)

# convert to URL-safe encoding

def toBase64Url(input):
    return base64.urlsafe_b64encode(input).rstrip(b'=')

# get certificate thumbprint (which we will then convert to a key identifier (kid) for the JWT later by base 64 url-safe encoding it)

def calculateThumbprint(certificate):
    der = certificate.public_bytes(serialization.Encoding.DER)
    digest = hashes.Hash(hashes.SHA1(), backend=default_backend())
    digest.update(der)
    thumbprint = digest.finalize()
    return thumbprint

# get the configured metadata endpoint for the identity provider from the platform

def getMetadataEndpoint(platformMetadataEndpoint):
    return requests.get(platformMetadataEndpoint, verify=TrustPlatformServer).json()


# get the identity provider token issuing endpoint from its openId metadata endpoint
# Note that the identity provider will always present a trusted SSL cert that Python's cert store can resolve to a trust chain, so we don't need to have an override for this
    
def getTokenEndpoint(identityProviderMetadataEndpoint):
    return requests.get(identityProviderMetadataEndpoint).json()["token_endpoint"]


# create a signed JWT using the pfx file with the certificate (this could be retrieved from the Azure Key Vault instead), the pfx password, the client assertion audience and the configured IdP application Id that will verify the JWT
# (this must have the public key of this cert uploaded to it)

def generateSignedJwt(pfx, password, clientAssertionAudience, idpAppServiceClientId):
    privateKey, certificate, _ = LoadCertFromPfx(pfx,password)
    kid = toBase64Url(calculateThumbprint(certificate)).decode()
   
    now = datetime.datetime.utcnow()
    expirationTime = now + datetime.timedelta(seconds=3600)

    header = {
        'alg': 'RS256',
        'typ': 'JWT',
        'x5t': kid,
        'kid': kid
    }

# You do not need a claim for the servicePrincipalName unless the platform kid->upn mapping table has multiple entries for the same kid (i.e certificate thumbprint)
# Otherwise the mapping is implied to a specific principal.

    body = {
        'aud': clientAssertionAudience,
        'iat': now,
        'exp': expirationTime,
        'iss': idpAppServiceClientId,
        'sub': idpAppServiceClientId,
        'jti': str(uuid.uuid4()) #,
#        'Tachyon.upn' : servicePrincipleName    # this is a custom claim allowing one certificate to map to multiple principals on the platform
    }
    signedJwt = jwt.encode(body, key=privateKey, algorithm='RS256', headers=header)
    return signedJwt

# make a request to the platform to get a token (base-64 encoded)

def requestJwtAuthentication(platformConsumer, platformAuthEndpoint, payload):
    headers = {"X-Tachyon-Consumer": platformConsumer}
    endpoint = platformAuthEndpoint + "/RequestJwtAuthentication"
    response = requests.post(endpoint, headers=headers, json=payload, verify=TrustPlatformServer)
    responseContent = response.text
    return responseContent


# Example API call

def getFromApi(platformServer, platformConsumer, path, token):
    headers = {"X-Tachyon-Consumer": platformConsumer, "X-Tachyon-Authenticate": token}
    endpoint = platformServer + path
    response = requests.get(endpoint, headers=headers,verify=TrustPlatformServer)
    return response.json()


# Main code here. 

platformServer = "https://your.platform.server"
platformConsumer = "your registered consumer"
platformAuthEndpoint = platformServer + "/api/Authentication"
platformMetadataEndpoint = platformAuthEndpoint + "/metadataendpoint"

# This is the application Id of the app that is set up for external integration. Your certificate's public key must have been uploaded to that app

idpAppServiceClientId = "0c830a1d-fc2f-40b5-8aca-940e4cf5f9b5"


# Get the configured identity provider's metadata endpoint from the platform

metadataEndpoint = getMetadataEndpoint(platformMetadataEndpoint)
print(metadataEndpoint)

# call the openId metadata endpoint on the identity provider to get the identity provider's token issuing endpoint

tokenEndpoint = getTokenEndpoint(metadataEndpoint)
print(tokenEndpoint)


# Make a signed JWT using the example PFX file. 
signedJwt = generateSignedJwt("integrate.pfx",b'Password', tokenEndpoint, idpAppServiceClientId)


# Request an internal token from the platform. This will have a life of one hour. When it expires, you repeat the above step to get a fresh signed Jwt and then request a fresh token

internalAccessToken = requestJwtAuthentication(platformConsumer, platformAuthEndpoint, signedJwt)

print("Response:", internalAccessToken)

# Call an API, passing the token (in this case, getting a list of connected devices)
apiResult = getFromApi(platformServer, platformConsumer, "/consumer/devices", internalAccessToken)
print(apiResult)

# Install the required libraries
!pip install azure-keyvault-secrets azure-identity

# Import the necessary modules
from azure.identity import ClientSecretCredential
from azure.keyvault.secrets import SecretClient

# Create a secret client with client secret authentication
credential = ClientSecretCredential(tenant_id, client_id, client_secret)
secret_client = SecretClient(vault_url=key_vault_url, credential=credential)

# Retrieve the secret value
cert_base64 = secret_client.get_secret(secret_name).value

# Use the secret value in your code
print("Retrieved secret value:", cert_base64)

Implementing non-interactive (JWT) authentication - Typescript example

This page shows a sample implementation of non-interactive authentication to the 1E Platform using TypeScript.

Please note that this is simplified for illustration. It is not production-ready code. Among other things, it lacks any error-checking for simplicity. This code was written to run inside the ‘bun’ environment, which is basically similar to node.js, so there should be equivalent library functionality in both environments.

Note

This example retrieves the JWT signing certificate from a local PFX file.

This does not represent optimum security best practice. As with any implementation, regardless of language, there are other mechanisms available to retrieve certificates. For example:

From the local Windows certificate store (where applicable).
From a mounted Kubernetes secret.
From the Azure Credential Vault.

Obtaining the certificate from any of those sources is outside the bounds on this article.

import { createHash } from 'crypto'
import fs from 'fs'

import { PlatformMetadata } from '@e-types'
import { sign } from 'jsonwebtoken'
import { asn1, pkcs12, pki, util } from 'node-forge'

const pfxPath = 'security/development-1e-vault-idp-1e-20240213.pfx'

const getTokenEndpoint = async () => {
  const url = await fetch('https://login.microsoftonline.com/a6c15a4f-bd3b-4eac-aac9-ef6e9ce805b0/v2.0/.well-known/openid-configuration')
  const metadataEndpoint = await url.json()
  return (metadataEndpoint as PlatformMetadata).token_endpoint
}

const toBase64Url = input => {
  return input.toString('base64url')
}

const calculateThumbprint = der => {
  const sha1 = createHash('sha1')
  sha1.update(der)
  return toBase64Url(sha1.digest())
}

const loadCertFromPfx = () => {
  const pfxData = fs.readFileSync(pfxPath)
  const pfxAsBinary = util.decode64(pfxData.toString('base64'))
  const der = asn1.fromDer(pfxAsBinary)
  const pfx = pkcs12.pkcs12FromAsn1(der, false)

  const keyBags = pfx.getBags({ bagType: pki.oids.pkcs8ShroudedKeyBag })
  const certBags = pfx.getBags({ bagType: pki.oids.certBag })
  const privateKey = pki.privateKeyToPem(keyBags[pki.oids.pkcs8ShroudedKeyBag][0].key)
  const certificate = certBags[pki.oids.certBag][0].cert

  const certDer = asn1.toDer(pki.certificateToAsn1(certificate as unknown as pki.Certificate)).getBytes()
  const thumbprint = calculateThumbprint(Buffer.from(certDer, 'binary'))

  return { privateKey, thumbprint }
}

export const generateJwt = async () => {
  const tokenEndpoint = await getTokenEndpoint()
  const today = new Date()
  const appId = '95ba1ee7-de87-4add-82f4-e900f13bc57f'
  const { privateKey: key, thumbprint: kid } = loadCertFromPfx()
  const now = Math.floor(today.getTime() / 1000)
  const expirationTime = now + 3600

  const payload = {
    aud: tokenEndpoint,
    iat: now,
    exp: expirationTime,
    iss: appId,
    sub: appId,
    jti: crypto.randomUUID(),
  }

  const header = {
    alg: 'RS256',
    x5t: kid,
    kid: kid,
  }

  const signedJwt = sign(payload, { key, passphrase: '' }, { algorithm: 'RS256', header })
  const url = await fetch('https://your.tachyon.server/api/Authentication/RequestJwtAuthentication', {
    method: 'POST',
    headers: { 'X-Tachyon-Consumer': 'Explorer', 'Content-Type': 'application/json' },
    body: JSON.stringify(signedJwt),
  })
  return await url.text()
}

In this section:

1E SDK

Authenticate against the 1E Platform and obtain a token

Authentication via IdP’s web page

Authentication using a JWT

Implementing interactive authentication

How it works

Before we begin

Authentication request

Examining the response to initial authentication request

Authenticating against the IdP

Checking the status of your authentication request

Warning

Retrieving the token

Warning

What if something goes wrong?

Consumer SDK support

Implementing interactive authentication - C# example

Note

Expand for C# example

Implementing non-interactive (JWT) authentication

How it works

Configuration

Authentication steps

Note

Non-interactive authentication - Principal to certificate mapping

About certificate to principal mapping

Connecting to the platform

Note

Note

Advanced principal mapping options

Warning

Verifying mappings

Note

Using a dedicated identity provider application for external integration

Specifying a dedicated identity provider application for external integration

Note

Implementing non-interactive (JWT) authentication - C# example

Note

Before starting

Implementing non-interactive (JWT) authentication - Python example

Setting up the environment

Note

Note

Note

Note

Note

Implementing non-interactive (JWT) authentication - Typescript example

Note

Search results