On this article, I will guide you to create an JWT (JSON Web Token) authentication for Adobe. My example will be based on the Admin Console, the user management, because this is one of the few that are supporting the JWT authentication at the moment.
Everything that is going to be explained now is a comprehensive explanation of the documentation available by Adobe : https://github.com/adobeio/adobeio-documentation/blob/master/auth/JWTAuthenticationQuickStart.md
JSON Web Token Explanation
What is JWT ? It is an acronym that stands for JSON Web Token. You send a signed JSON to a service and it returns you a token.
It is much better than the Oauth authentication provided at the moment from Adobe, as the latter forces you to manually load a URL in your browser to retrieve the token. So much for automation.
I always believed that an API should be able to run without any human interference, or as little as possible. JWT identification enables this possibility.
What is required for my JWT ?
First of all, you need to make sure that you have created a connection to the Adobe IO User Management Module with the correct configuration and you still have your private key in order to log to that module.
Don’t worry, we are going to do that together in the following part.
Creating an account with Adobe IO console
You would need to go to integration console interface in order to register your application : https://console.adobe.io/integrations
Then you need to click on “New Integration”
The next steps is to actually setup an access to the application of your choice.
On my side, as I explained earlier, I will create a user management API access.
The User Management API has been selected for this demo as it supports the JWT authentication at the moment of that writing (January 2019). In the future, all of the API will support the JWT method. So depending on when you read this tutorial, you may be able to select any API you want.
On the next step, you will provide the key that you have prepared for the connection. The certificate that are supported are .crt, .perm and .der
The full description on how to generate this public key is available on this blog post : generate a CRT file on windows.
Make sure that you have generated the private key and also have a copy unencrypted for your own use.
Information to retrieve from your account
When the account has been created, you will see a possibility to click on it on the IO console.
You can click on that and retrieve these information :
- Your ORG ID
- Your API KEY
- Your TECH ID (something with @tech…)
- Your secret
On top of that, the endpoint that is required for the JWT token creation.
That endpoint being : https://ims-na1.adobelogin.com/ims/exchange/jwt
Python Code
python Configuration
On top of the configuration you have done for your adobe account, you would need to have several libraries installed on your python environment :
- requests (pip install requests)
- jwt (pip install jwt)
As you have your private key available, you will need it to be accessible for your program.
JWT with requests and token retrieval
The code requires to retrieve the JWT is the following :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | def retrievingToken(): ## I create a function so it can be reused later on when the time limit has been reached with open('privatedatanalyst.key','r') as f: ##reading and storing the private key private_key_unencrypted = f.read() ## don't worry it will be encrypted later on header_jwt = {'cache-control':'no-cache','content-type':'application/x-www-form-urlencoded'} ## setting the header jwtPayload = { "exp": round(24*60*60+ int(time.time())),###Expiration set to 24 hours "iss": org_id, ###org_id "sub": tech_id,###technical_account_id "https://ims-na1.adobelogin.com/s/ent_user_sdk": True, "aud": "https://ims-na1.adobelogin.com/c/"+api_key ##api_key is your API KEY }## I set the different information required in request encoded_jwt = jwt.encode(jwtPayload, private_key_unencrypted , algorithm='RS256')##make sure to use the RS256 algo payload = { "client_id":api_key, "client_secret":secret, "jwt_token" : encoded_jwt.decode("utf-8") } response = requests.post(url,headers=header_jwt, data=payload) ##using the requests library to ask for the token json_response = response.json() token = json_response['access_token'] ## retrieve the token expire = json_response['expires_in'] ##retrieving when the token expire global date_limit ## getting the scope right date_limit= time.time()+ expire/1000 -500 ## end of time for the token, taking 500 s interval print('token valid till : ' + time.ctime(time.time()+ expire/1000)) ##show me in the console how long the token is working return token |
You now have retrieved the token using the JWT authentication method.
As explained before, using this method enable you to bypass human interaction to use the Adobe IO API. Therefore, you can create cron job in order to realize operation at regular time.
I hope this tutorial was helpful and don’t hesitate if you have a question.
In the following queries,
token = json_response[‘access_token’] ## retrieve the token
expire = json_response[‘expires_in’]
what values do we provide for access_token’ and ‘expire_in’ ?
I received your email but couldn’t reply because you didn’t specify an email address.
You don’t need to set the value.
They will be set automatically from the response of Adobe IO.
They will set your token value and the expiration timestamp in seconds.
encoded_jwt = jwt.encode(jwt_payload, private_key_unencrypted , algorithm=’RS256′)##make sure to use the RS256 algo throw TypeError: load_pem_private_key() missing 1 required positional argument: ‘backend’. How to fix it? Thanks!
Try uninstall the pyjwt and re-install them in different orders.