Migration from `apikey` to `JWT` authentication

The Cloud Agent authentication supports multiple authentication methods simultaneously, which means the user can seamlessly use any available credentials including apikey or JWT to access the wallet. The agent's UMA permission resource also exposes the self-service permission endpoint, allowing users to manage the permissions for their wallets. It allows users to transition from apikey to JWT authentication without admin intervention.

Roles

In the migration process from apikey to JWT, there is only one role:

Tenant

Prerequisites

Keycloak up and running
Keycloak is configured the same as in Tenant Onboarding Self-Service
The Cloud Agent is up and running
The Cloud Agent is configured the same as in Tenant Onboarding Self-Service
The user has access to the wallet using apikey. (See Tenant Onboarding)
The user has an account registered on Keycloak

Overview

This tutorial outlines the steps to transition from apikey to JWT authentication. Initially, users have wallet access through the apikey method. To migrate to JWT authentication, users can create a new UMA permission for their wallet and grant permission to their Keycloak account.

Endpoints

Agent endpoints

Endpoint	Description	Role
`GET /wallets`	List the wallets on the Cloud Agent	Tenant
`POST /wallets`	Create a new wallet on the Cloud Agent	Tenant
`POST /wallets/{walletId}/uma-permissions`	Create a uma-permission for a wallet	Tenant
`GET /did-registrar/dids`	List the DIDs inside the wallet	Tenant

Keycloak endpoints

Endpoint	Description	Role
`POST /realms/{realm}/protocol/openid-connect/token`	Issue a new JWT token	Tenant

Tenant interactions

1. Check the existing wallets using `apikey`

This tutorial assumes the tenant can access the wallet using apikey. Before granting more permission to the wallet, the walletId must be identified. To find the wallet, list them using apikey.

curl -X 'GET' \
  'http://localhost:8080/cloud-agent/wallets' \
  -H 'accept: application/json' \
  -H "apikey: my-tenant-token"

Make sure to use the correct apikey from the pre-requisite.

Response Example:

{
  "self": "/wallets",
  "kind": "WalletPage",
  "pageOf": "/wallets",
  "contents": [
    {
      "id": "99734c87-5c9d-4697-b5fd-dea4e9590ba7",
      "name": "my-wallet",
      "createdAt": "2023-01-01T00:00:00Z",
      "updatedAt": "2023-01-01T00:00:00Z"
    }
  ]
}

2. Get the access token on keycloak

Run this command to log in and get the access token

curl -X 'POST' \
  'http://localhost:9980/realms/my-realm/protocol/openid-connect/token' \
  -d "grant_type=password" \
  -d "client_id=admin-cli" \
  -d "username=alice" \
  -d "password=1234"

Make sure to use the correct username and password. Special attention on the client_id; this should be the actual client_id of the frontend application that logs the user in. For this tutorial, it is OK to use admin-cli

Example token response (some fields omitted for readability)

{
    "access_token": "eyJhbGciOi...7ocDHofUDQ",
    "refresh_token": "eyJhbGciOi...otsEEi4eQA",
    ...
}

3. Extract the subject ID from JWT

When creating a UMA permission, it is important to provide the subject ID to grant permission. To get the subject ID of the tenant, one can inspect the JWT payload sub claim.

Run this command to extract the sub claim of the token from previous step.

echo 'eyJhbGciOi...7ocDHofUDQ' | cut --delimiter='.' --fields=2 | base64 --decode | jq -r '.sub'

Example result

4a5c6ac9-12f5-4d1e-b8f2-667525c083fd

4. Grant the user permission to the wallet

UMA permission can be added to the current wallet, giving Keycloak users access. To do this, invoke the POST /wallets/{walletId}/uma-permissions endpoint on the agent.

curl -X 'POST' \
  'http://localhost:8080/cloud-agent/wallets/99734c87-5c9d-4697-b5fd-dea4e9590ba7/uma-permissions' \
  -v \
  -H 'accept: */*' \
  -H "apikey: my-tenant-token" \
  -H 'Content-Type: application/json' \
  -d '{
    "subject": "205e04b7-0158-41b0-89c3-f91c3a09f89b"
  }'

Make sure to use the correct subject for the user and the correct walletId from the step earlier.

The response should return the status 200 OK in case of successful permission creation.

5. Perform a simple action to verify access to the Cloud Agent

After successful UMA permission creation, the user should be able to use the JWT token to authenticate the wallet. List the wallet using a new Authorization header. The listed wallets should contain the wallet with the same ID in step 1.

curl -X 'GET' \
  'http://localhost:8080/cloud-agent/wallets' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer eyJhbGciOi...7ocDHofUDQ'

Make sure to use the correct JWT from step 2.

Response Example:

{
  "self": "/wallets",
  "kind": "WalletPage",
  "pageOf": "/wallets",
  "contents": [
    {
      "id": "99734c87-5c9d-4697-b5fd-dea4e9590ba7",
      "name": "my-wallet",
      "createdAt": "2023-01-01T00:00:00Z",
      "updatedAt": "2023-01-01T00:00:00Z"
    }
  ]
}

This response indicates that the user should be able to perform any wallet interaction with the JWT and apikey interchangeably.

Migration from apikey to JWT authentication

Roles​

Prerequisites​

Overview​

Endpoints​

Agent endpoints​

Keycloak endpoints​

Tenant interactions​

1. Check the existing wallets using apikey​

2. Get the access token on keycloak​

3. Extract the subject ID from JWT​

4. Grant the user permission to the wallet​

5. Perform a simple action to verify access to the Cloud Agent​