UC_OAUTH_SETTINGS - AE REST API Authentication

This VARA object defines the configuration required to secure AE REST API access using OAuth2, enabling safe communication and integration with modern identity providers such as Microsoft Entra ID, Google, or Okta. It can be defined in Client 0 to apply globally across all Clients, or in a specific production Client to override the global configuration.

The variable includes the following keys:

  • JWKS_URL (Mandatory)

    Specifies a publicly accessible HTTPS endpoint that hosts a JSON Web Key Set (JWKS). The JWKS contains the public keys used by identity providers (such as Microsoft Entra ID, Google, or Okta) to sign JWTs. The AE uses this endpoint to automatically download and cache the keys, ensuring that token signatures can be validated for authenticity and integrity.

    Example:

    https://login.microsoftonline.com/{your_directory_id}/.discovery/v2.0/keys

    The system verifies JWT signatures using the keys retrieved from the configured JWKS endpoint.

    Restart required: No

  • JWT_ID_KEYS (Optional)

    Specifies how the AE identifies the origin of a JWT after successful signature verification.

    Note:JWKS keys are used solely to verify the cryptographic signature and confirm that the JWT was issued by a trusted identity provider. The JWT_ID_KEYS setting is applied after signature validation to determine which user or application the token represents.

    The identification method depends on the token type. These are the tokens supported by default:

    • User tokens: Identified by the email claim.

    • Application tokens: Identified by the application ID (appid) claim.

    You can customize this behavior to use other claims from the JWT payload (for example, oid) to align token identification with your organization’s identity management standards. The system does not infer, combine, or fall back between identifiers, ensuring consistent and deterministic token identification.

    Restart required: No

  • JWT_SCOPES (Optional)

    Defines which OAuth2 scopes are accepted by the AE REST API. After signature and identity validation, the system verifies that the token includes at least one scope that exactly matches a configured value. Partial or approximate matches are not allowed.

    If JWT_SCOPES is not configured, any token that passes signature and identity validation is accepted. Defining scopes is strongly recommended to ensure that tokens are explicitly issued for this API. Depending on the identity provider, the token’s scope or audience must match the application to confirm that the token was created for the AE.

    Restart required: No

See also: