JWT Authentication

The Drupal API Authentication module works by sending a JWT token along with your API requests for authentication. This module uses JSON Web Token (JWT), an open standard for securely representing user identity during two-party interactions.

In this step, essentially, a username and password of your Drupal site are used to first get a JWT token. Once the username and password are verified, the Drupal REST API Authentication module will create a signed JSON Web Token. Then, the API will return that token back to the client application.

Once you have received the JWT token, then you can use this token to perform the operations in Drupal till the JWT token expires. The Drupal REST API Authentication module will grant access only when it receives a valid JWT from the application.

JWT can be signed and validated using two algorithms - HSA and RSA.

Let's see how we can use a JWT token for API authentication in Drupal.

 Download 

Setup Video:

Pre-requisites: Download and Installation:

• Download & install the Drupal REST & JSON API Authentication module.
• REST UI: This module provides you with a user interface for configuring the REST module. 
• Enable the following Web Services modules from under the Extend section(/admin/modules) of your Drupal site:
  • REST UI
  • RESTful Web Services
  • Serialization

  

Steps to configure JWT-Based API Authentication:

• For better understanding, we will be taking an example of adding JWT-based authentication to create a basic page in Drupal using the /node API.

Enable the API and assign methods and operations as follows:

• The first step is to enable the API and also assign methods and operations allowed on that particular API. This can be done using the REST UI module or you can simply modify the config.
• To enable the API using the REST UI module, click on the Configure button of the REST UI module(as shown below)

  

• Considering our example, we want to enable the /node API present under the content section. Enable this API using the Enable option in front of it.

  

• Now, as our goal is to create basic page on Drupal, select the following configs:
  • Method: POST
  • Format: json
  • Authentication provider: rest_api_authentication.
• Selecting rest_api_authentication will allow the miniOrange REST API Authentication module to Authenticate your API. Click on the Save Configuration button to continue.

  

Setup JWT-Based API Authentication:

• In this step, we will set up JWT as an API Authentication method. In order to do so, please navigate to the API Authentication tab of the REST API Authentication Module (/admin/config/people/rest_api_authentication/auth_settings)

  • Select the Enable Authentication checkbox and click on Save Settings.
  • Below the Save Settings button select the JWT radio button.

• If you wish to use an externally created JWT token for authentication, you can do so by configuring the below options:

  • In the Username Attribute text field, enter the attribute name in which your username will get received.
  • If you wish to use an external JWT token, you can also provide the JWKS URI to validate that JWT token in Drupal.

    

Grant permissions to Drupal roles to create a page:

• If you require, you can also grant non-admin Drupal roles permission to create a basic page. You can do so by assigning Drupal roles to the Basic page: Create new content permission from under the permission section (/admin/people/permissions) of your Drupal site.

  

That’s it!!!

Now let’s try to create a basic page through an API call using JWT for authentication.

Examples:

• First of all, we have to make an API call to get a JWT. We will then use that token to authenticate Drupal API for creating a basic page.

• We can obtain the JWT by making a POST request containing the user’s Drupal Username and Password. You have to send the Username and Password in base64-encoded format. You can refer to the below request format for reference.

  Request: POST <your_drupal_base_url>/rest_api/id_token

  Header: Authorization: Basic base64encoded <username:password;>
               Accept:  application/json

  CURL Request Format-

  curl --location --request POST ' <your_drupal_base_url>/rest_api/id_token' \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Basic base64encoded <username:password>'

• You can also refer to the image of the Postman request to get JWT from Drupal.

Request:

• A successful response returns the JWT along with its token expiry. (please refer to the image below)

  

• If you receive any error in response then you can refer to the below table for the error description and possible solutions.

Authenticate the Drupal REST APIs using received JWT:

• To perform authentication using JWT, simply add the received JWT as a Bearer token in the Authorization Header.

  Request: POST <drupal_base_url> /node?_format=json
  Header: Authorization:  Bearer received_JWT
               Accept: application/json   
  Body:        
   {
    "type":[
        {"target_id":"page"}
        ],
    "title":[
        {"value":"Drupal Rest API Authentication"}
        ],
    "body":[
        {"value":"Page created using the JWT Authentication."}
        ]
  }

  CURL Request Format-

  curl --location --request POST   ‘<drupal_base_url>/node?_format=json’\
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer <received_JWT>’ \
  --data-raw '

  {
    "type":[
        {"target_id":"page"}
        ],
    "title":[
        {"value":"Drupal Rest API Authentication"}
        ],
    "body":[
        {"value":"Page created using the JWT Authentication."}
        ]
  }'
   

Sample request to create a page using JWT-based authentication:

• You can also refer to the Postman request for the same:

  

• A successful response would look something like:

  

• You can check the created page in the content tab of Drupal.

  

• Error Responses and Possible Solutions:

Article from Drupal Documentation.