Authentication
The AIS Server uses EnterpriseOne authentication to authenticate AIS clients. All AIS sessions are established with requests to the EnterpriseOne HTML Server to establish a corresponding HTML Server (JAS) session. The AIS Server can maintain open sessions linked to open JAS sessions. It can also execute stateless calls where sessions are temporarily established only for the time of the call and thereafter terminated. See "Session Management" below for more information.
You can configure the AIS Server to use SSL so that all communication is over HTTPS. It can also be configured to communicate over HTTPS with the EnterpriseOne HTML Server.
You must make sure that the type of authentication (or login type) used by the AIS client is enabled in the Application Interface Services Security Settings section in Server Manager. The following sections describe the supported authentication types.
Username and Password
This type of authentication is used in JD Edwards EnterpriseOne mobile enterprise applications for authentication. It involves passing the username and password in the body of the request JSON, for example:
{
"username":"JDE",
"password":"JDE"
}
HTTP Basic Authentication
This type of authentication is used for authenticating Internet of Things (IoT) devices calling orchestrations on the AIS Server. It is also used by the EnterpriseOne Orchestrator Client to test running orchestrations on the AIS Server. It involves passing the username and password in the basic authorization header, for example:
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
PS Token
This type of authentication is used in EnterpriseOne ADF applications. It is also used by EnterpriseOne Pages designed to call AIS services through the e1pagehelper.js API. It involves passing the username and psToken in the body, for example:
{
"psToken": "pgAAAAQDAgEBAAAAvAIAAAAAAAAsAAAABABTaGRyAk4AcQg4AC4AMQAwABQJrwo/Lw6l8FT3c1jCCRFRdRTiVmYAAAAFAFNkYXRhWnicHYhBDkAwEEVfqysHsHaBSjUlLInGpsHG2hncz+FMZpL/3p//Aq6yxog/i159sXBTOHGZluZh12+VvXBI28ikSKBnxKu9JConOmmDcGAWBnHQPcEPnWgLvQ==",
"username": "JDE"
}
JSON Web Token
This authentication method can be used in a JD Edwards EnterpriseOne mobile application integration with Oracle Mobile Cloud Service. You can also use this login type to employ OAuth 2.0 authentication for third-party AIS clients, including clients developed using the AIS Client Java API to call AIS services and orchestrations on the AIS Server.
Note: You can use OAuth 2.0 if you have an EnterpriseOne configuration with Oracle Access Manager (OAM), where OAM is the OAuth provider.
This authentication method involves passing a JWT in the Bearer Header, for example:
Authorization: Bearer eyJ4NXQiOiJkUHFHSDRadktiUUNRTExqTXRTVkRSc3hYSjAiLCJ0eXAiOiJKV1QiLCJhbGci...
Using JWT for authentication requires a trusted node configuration and an EnterpriseOne HTML Server trusted certificate configuration. See "Configuring EnterpriseOne HTML Server for JSON Web Token (JWT)" in the JD Edwards EnterpriseOne Tools Security Administration Guide
Header Authentication
Starting with Tools 9.2.4, you have an option to use Header based authentication. You can use the Header based authentication method for requesting an AIS token and using an AIS token.
Requesting a Token
The /tokenrequest service has three HTTP headers that can be used in conjunction with Basic Authorization or JWT token request to indicate the environment, role and device that the session is established with. You can include the following authentication credentials in the Request Header instead of passing these values in the response body:
jde-AIS-Auth-Environment
jde-AIS-Auth-Role
jde-AIS-Auth-Device
Example
POST /jderest/v2/tokenrequest HTTP/1.1
Accept: application/json
Content-Type: application/json
jde-AIS-Auth-Environment: JDV920
jde-AIS-Auth-Role: *ALL
jde-AIS-Auth-Device: Curl
Authorization: Basic S09VOktPVQ==
Using a Token
To use a token, all the AIS services allow two HTTP headers for passing the token and device name. You can include the following authentication in the Request Header instead of passing these values in the response body. Device name is optional. However, if the token was requested with device name, the authentication must be used with device name.
jde-AIS-Auth
jde-AIS-Auth-Device
Example
POST /jderest/v2/formservice HTTP/1.1
Accept: application/json
Content-Type: application/json
jde-AIS-Auth: 0449gCaVHmzYCg3/+3qobSsCukOavk5Xvrn7E8c/VNsP4I=MDE5MDEzMTMwMjQ0NzY0NDQ1MTkwNTY0MU5pY29sZVBvc3RtYW4xNTYxNDgyMzE5Nzgy
jde-AIS-Auth-Device: Curl
Session Management
After a token request is sent to the AIS Server with successful authentication, the AIS Server generates a token and maintains a session for the user session according to the time out and time-to-live settings in Server Manager (rest.ini). A corresponding user session is also maintained on the EnterpriseOne HTML Server. You can view the AIS sessions in Server Manager, which displays "AIS Server" in the Display Mode for active AIS sessions. The AIS token is the key to the user session and must be passed on all subsequent calls that use that AIS session.
For stateless AIS requests, credentials are supplied (not AIS tokens). Requests are given a temporary session that is removed once that request completes.
The original security model put in place for mobile applications still applies, even for non-mobile clients. The deviceName (or Device ID) is not required. If Device ID is not passed, the requesting IP address is used. Thus a token requested from one device or IP address cannot be used by another device or IP address. Validation is performed every time the token is used.