User Authentication (JWT) in HCL Domino V10

Question

I tried to use header-based user authentication, but it's not secure. I am wondering if there is another way to do user authentication in Domino , and if the user is authenticated, is there any method to generate JWT?

Any help would be greatly appreciated. Thanks!

Answer 1

Generating a JWT token is fairly straightforward, it's a JSON object, as outlined by Stephan Wissel here https://notessensei.com/blog/2016/02/now-we-are-token-authorization-using-json-web-token-in-domino.html. There are two challenges though both related to the requirement of doing it in LotusScript.

1. I'm not aware of any LotusScript version of the relevant cryptographic libraries for converting the JSON object to a bearer token.
2. The token needs to be stored somewhere. In all likelihood that means writing it to the database as a document. There is no caching mechanism in LotusScript to cache data between calls.
3. LotusScript doesn't support a way for creating a named session. You could use the JWT token to verify authorization, but you would not be able to run as that user for subsequent requests. You could not use the "Run as Web User" option and would always run as the agent signer, so you would have to build your own reader/author level controls.

JWT still requires an initial authentication, typically via a POST. The token should also have an expiry date, which you'll want to check. You get bonus points for adding an "expire" function to invalidate a token.

I've never had a need in customer implementations to change from standard Domino authentication options.