REST API: System Integrator's Guide

Web Central implementation

Web Central REST API calls are authenticated using JWT access tokens. 

Applications calling Web Central REST API must obtain the access token from their OAuth2 or OpenID Connect identity provider.

Access tokens should:

• contain claims: sub, expiration, issuer, audience.

• be signed with a cryptographic key using the JWK (JSON Web Key) standard.

Web Central:

• does not accept unsigned access tokens.

• uses "sub" claim as username.

• verifies signature (downloads from IdP and caches public key) and claims: expiration, issuer, audience.

• uses the jose4j library (https://bitbucket.org/b_c/jose4j/wiki/Home) to implement token verification.

REST APIs are hosted on a separate, dedicated instance of Tomcat. This instance has a different URL (for example, https://archibus-worker.serranew.com/archibus/), and does not handle requests from web UI clients, mobile clients, or Smart Client. 

The same instance runs scheduled workflow rules.