Human Capital Management Blogs by SAP
Get insider info on SAP SuccessFactors HCM suite for core HR and payroll, time and attendance, talent management, employee experience management, and more in this SAP blog.
cancel
Showing results for 
Search instead for 
Did you mean: 
yogananda
Product and Topic Expert
Product and Topic Expert

JWT-based Authentication


The basic thing you need to understand JWT-based authentication is that you’re dealing with an encrypted JSON which we’ll call “token”. This token has all the information required for the back-end system to understand who you are and if, indeed, you are who you say you are.

So, let’s get into it.

Step 1 - Generate a private key.

You can generate a private key with the openssl tool using Gitbash

 

openssl genrsa -out private_jwt.key 2048

 

2. Generate a public key.

Again, we use openssl to generate the public key for the private key created in above scenario 1

 

openssl rsa -in private_jwt.key -pubout -outform PEM -out public_jwt_key.pub

 


The public key is stored in the file public_jwt_key.pub. It is used later by Commissions to verify the JWT token signature during the logon.
Step 2. Select Commissions user with authentication type JWT and upload the public key.

Go to SAP Commission > User Administration > Select your User and follow the steps

Step 3. Generate a JWT token.

Install Node and NPM to get jwtgen Package (https://www.npmjs.com/package/jwtgen)

 

npm i jwtgen

 

Command to generate JWT Token

 

jwtgen -e 3000 -c "sub=D00000000000001" -c "aud=https://<tenantid>.callidusondemand.com" -a RS256 -p JWT-Auth.key

 


Note : sub = your userId of SAP commissions

Screenshot for JWT Token

SAP Commissions performs the following validations on the JWT token:

    • The aud claim in the token is equal to the Commissions server URL.
    • The iss claim in the token contains a Commissions user id of authentication type JWT.
    • The token signature is successfully verified with the public key stored with the Commissions user.
    • The token is valid and not yet expired.

Step 4. Authenticate against Commissions with the JWT token.

GET Method :
https://<tenantid>.callidusondemand.com/CallidusPortal/services/Authentication/isAuthenticated

If this API call is successful, a response with {} will appear.

Known Error

    • Public Key is limited to one user for JWT Authentication


Decoded Headers

 

{
  "typ": "JWT",
  "alg": "RS256"
}

 


Decoded Payload

 

{
  "iat": 1616780333,
  "exp": 1616783333,
  "sub": "D00000000000001",
  "aud": "https://<tenantid>.callidusondemand.com"
}

 






 

 

8 Comments