Consuming REST API with OIDC authentication

In order to authenticate with a REST API using OIDC, a JWT token must be requested from an identity provider and be sent to the REST API/resource server.
On this page an example will be shown how to request JWT tokens in AMT and use the tokens to access an AMT Provided REST API.

PowerShell Token Retriever Script

• The first step is to add a PowerShell script to AMT in order to request the token.
  In the AMT Developer Studio, create a new PowerShell script named TOKENRETRIEVER and paste in the following code:

param (
    [string]$ConfigName
)
 
# Define comscript path:
$ComScrscriptPath = 'C:\Amt\AMTTools\ComScript\ComScript.dll'
 
# Define the list of configurations
$Configurations = @{
    "Example1" = @{
        authority   = "https://example.org/authority1"
        clientid    = "yourClientid1"
        clientsecret = "yourClientSecret1"
        scopes      = "scope1 scope2"
    }
    "Example2" = @{
        authority   = "https://example.org/authority2"
        clientid    = "yourClientid2"
        clientsecret = "yourClientSecret2"
        scopes      = "scope3 scope4"
    }
}
 
# Connect to Comscript
Add-Type -Path $ComScrscriptPath
$ComScr = New-Object Asysco.Amt.Scripting.ComScript
$ComScr.Connect()
$Job = $ComScr.GetMySelf()
 
# Check if the configuration exists
if (-not $Configurations.ContainsKey($ConfigName)) {
    $Job.SetTVCustom("ERROR", "ConfigName not found in defined configurations.")
    $Job.SaveTaskValue()
    exit 1
}
 
# Get the configuration based on the input parameter
$ConfigData = $Configurations[$ConfigName]
 
# Get the authority and prepare the well-known endpoint URL
$Authority = $ConfigData['authority']
$WellKnownUrl = "$Authority/.well-known/openid-configuration"
 
# Make the HTTP request to retrieve the token endpoint
$Response = Invoke-RestMethod -Uri $WellKnownUrl -Method Get
 
# Check if the response contains the token endpoint
if (-not $Response.token_endpoint) {
    $Job.SetTVCustom("ERROR", "No token endpoint found in the WellKnown response")
    $Job.SaveTaskValue()
    exit 1
}
 
# Create the body for the token request
$Body = @{
    grant_type    = "client_credentials"
    client_id     = $ConfigData['clientid']
    client_secret = $ConfigData['clientsecret']
    scope         = $ConfigData['scopes']
}
 
# Make the HTTP request to get the access token
$TokenResponse = Invoke-RestMethod -Uri $Response.token_endpoint -Method Post -ContentType "application/x-www-form-urlencoded" -Body $Body
 
# Check if the access token is present in the response
if (-not $TokenResponse.access_token) {
    $Job.SetTVCustom("ERROR", "Token response did not contain access token!")
    $Job.SaveTaskValue()
    exit 1
}
 
$Job.SetTVCustom("ACCESSTOKEN", $TokenResponse.access_token)
$Job.SaveTaskValue()
 
$ComScr.Dispose()

• Update the location of the ComScript library (ComScrscriptPath) to fit the AMT environment and set the OIDC client information in the configuration section.

Global routine RETRIEVETOKENHEADER

• The next step is to create a Global routine which starts the script from the previous step and passes a token header on as a result.
  The following LION code can be used to achieve that objective.

BEGIN_DEFINITIONS
VAR
    TASKOBJECT : task
    JOBOBJECT  : job
END_DEFINITIONS

ROUTINE MAIN (CONFIG_NAME: string) : realstring
BEGIN_ROUTINE
    TASKOBJECT.APPNAME := SI-APPLICATIONNAME
    TASKOBJECT.CONNECT ()
if not TASKOBJECT.CONNECTED
    sme('RetrieveTokenHeader: Connecting Task Object failed!')
    exit
endif
    JOBOBJECT                         := TASKOBJECT.createjob ()
    JOBOBJECT.USER                    := SI-NTLOGIN
    JOBOBJECT.MAXIMUMNUMBEROFRESTARTS := 1
    JOBOBJECT.SCRIPTPARAMETER := '-config ' & CONFIG_NAME
    JOBOBJECT.WAIT := true
    JOBOBJECT.ADDJOBREQUEST ('TOKENRETRIEVER', script)
if not JOBOBJECT.ERRORCODE = 0
    sme('Error while executing TOKENRETRIEVER script: ' & JOBOBJECT.ERRORDESCRIPTION)
    exit
endif
if not JOBOBJECT.GETTVCUSTOM ('ERROR') = ''
    sme('Failed to retrieve token: ' & JOBOBJECT.GETTVCUSTOM ('ERROR'))
    exit
endif
// No errors, TASKVALUE should contain retrieved Bearer token.
// Now format it in expected Authorization header format:
    RESULT := 'Bearer ' & JOBOBJECT.GETTVCUSTOM ('ACCESSTOKEN')
END_ROUTINE

• After editing and saving both the script and the global routine, they should both be checked into the repository, generated and added as jobs in the Control Center.

Use of the retrieve token header Global Routine

• This final example shows how the Global routine from the previous step can be called and its result used as token for an AMT Provided REST API.
  Note that the token should be added to each Provided REST API call.

BEGIN_DEFINITIONS
VAR
    HEADERTOKEN : realstring
    CRA_RESULT : realstring
END_DEFINITIONS

ROUTINE MAIN
BEGIN_ROUTINE

    HEADERTOKEN := RETRIEVETOKENHEADER('Example1')
if not HEADERTOKEN = ''
    CRA_TEST.POSTAMTAMTLOGON(HEADERTOKEN)
    CRA_RESULT := CRA_TEST.GETDATA(HEADERTOKEN)
    CRA_TEST.POSTAMTAMTLOGOFF(HEADERTOKEN)
endif

END_ROUTINE