JWT Authentication
The Drupal API Authentication module works by sending a JWT token along with your API requests for authentication. This module uses JSON Web Token (JWT), an open standard for securely representing user identity during two-party interactions.
In this step, essentially, a username and password of your Drupal site are used to first get a JWT token. Once the username and password are verified, the Drupal REST API Authentication module will create a signed JSON Web Token. Then, the API will return that token back to the client application.
Once you have received the JWT token, then you can use this token to perform the operations in Drupal till the JWT token expires. The Drupal REST API Authentication module will grant access only when it receives a valid JWT from the application.
JWT can be signed and validated using two algorithms - HSA and RSA.
Let's see how we can use a JWT token for API authentication in Drupal.
Setup Video:
Pre-requisites: Download and Installation:
- Download & install the Drupal REST & JSON API Authentication module.
- REST UI: This module provides you with a user interface for configuring the REST module.
- Enable the following Web Services modules from under the Extend section(/admin/modules) of your Drupal site:
- REST UI
- RESTful Web Services
- Serialization
Enable the API and assign methods and operations as follows:
- The first step is to enable the API and also assign methods and operations allowed on that particular API. This can be done using the REST UI module, or you can modify the config.
- To enable the API using the REST UI module, click on the Configure button of the REST UI module.
- Considering our example, we want to enable the /node/{node} API present under the Content section. Enable this API using the Enable option in front of it.
- Now, as our goal is to create a basic page on Drupal, select the following configs:
- Method: POST
- Format: json
- Authentication provider: rest_api_authentication.
- Selecting
rest_api_authenticationallows the miniOrange REST API Authentication module to authenticate your API. Click the Save configuration button to continue.
Setup JWT-Based API Authentication:
- In this step, we will configure JWT as the API Authentication method. To do this, go to the API Authentication tab of the REST API Authentication module. (/admin/config/people/rest_api_authentication/auth_settings)
- Under Basic Configuration, enable the Enable Authentication checkbox.
- Enter the Application Name and select JWT from the Authentication Method section.
- Scroll down to the JWT Configuration section on the same tab.
- In the Username Attribute field, enter the attribute name from the received JWT that contains the Drupal username.
- Select Signing Algorithm from the dropdown.
- Optional: Enter the desired expiry duration (in minutes) under Token Expiry Time.
For External JWT:
- JWKS URI: If you want to use an external JWT token, provide the JWKS URI to validate it in Drupal.
- Certificate/Secret Key: Provide a certificate if RS256 is selected, or a secret key if HS256 is selected.
Generate Custom Keys:
Note: You can enter the keys manually or generate keys. These keys will be used to sign and verify the JWT tokens.
- Private Key: Enter the private key for JWT, or generate a new key.
- Public Key: Enter the public key for JWT, or generate a new key.
- Click the Save Configuration button.
- You have successfully configured the JWT Authentication method.
Note: Use the application-specific unique header when authenticating the API.
Grant permissions to Drupal roles to create a page:
-
If you require, you can also grant non-admin Drupal roles permission to create a basic page. You can do so by assigning Drupal roles to the Basic page: Create new content permission from under the permission section (/admin/people/permissions) of your Drupal site.
That’s it! Now, let’s create a Basic page through an API call using JWT for authentication.
- First, we need to make an API call to obtain a JWT. We will then use this token to authenticate the Drupal API for creating a Basic page.
- We can obtain the JWT by making a POST request containing the user’s Drupal Username and Password. You have to send the Username and Password in base64-encoded format. You can refer to the below request format for reference.
HTML Request Format-
Request: POST <your_drupal_base_url>/rest_api/id_token
Header:
Accept: application/json
Authorization: Basic base64encoded <username:password;>
CURL Request Format-
curl --location --request POST ' <your_drupal_base_url>/rest_api/id_token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic base64encoded <username:password>'- You can also refer to the Postman request image shown below.
- A successful response returns the JWT along with its token expiry. (Please refer to the image below)
Example:
- For better understanding, we will demonstrate an example of adding JWT-based authentication to create a Basic page in Drupal using the /node API.
- To create a basic page in Drupal, you need to make a POST request using the received JWT or External JWT as a Bearer token in the Authorization Header. Refer to the example below for making the call.
HTML Request Format- Request: POST <drupal_base_url> /node?_format=json Header:
AUTH-METHOD: application_id
Accept: application/json
Authorization: Bearer received_JWT
Body:
{
"type":[
{"target_id":"page"}
],
"title":[
{"value":"Drupal Rest API Authentication"}
],
"body":[
{"value":"Page created using the JWT Authentication."}
]
}
CURL Request Format-
curl --location --request POST ‘<drupal_base_url>/node?_format=json’\
--header 'AUTH-METHOD: application_id' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <received_JWT>’ \
--data-raw '
{
"type":[
{"target_id":"page"}
],
"title":[
{"value":"Drupal Rest API Authentication"}
],
"body":[
{"value":"Page created using the JWT Authentication."}
]
}'
- You can also refer to the Postman request for the same:
- A successful response would look something like:
-
Error Responses and Possible Solutions:
| Error | Description |
| MISSING_HEADER |
You will get this error if you don’t send a Unique header in the API request, or if your server removes it for some reason. Example: { |
| MISSING_AUTHORIZATION_HEADER |
You will get this error whenever you don't send an Authorization Header in the API request or if it was removed by your server due to some reasons. Example: |
| INVALID_AUTHORIZATION_HEADER_TOKEN_TYPE |
You will get this error when you send the Authorization header but the token type is not Bearer Example: |
| TOKEN_EXPIRED |
You will get this error when you send the Authorization header but the access token is expired. Example: { |
| USER_INFORMATION_NOT_FOUND |
You will get this error while trying to retrieve the user information. Example: |
|
INVALID_SIGNATURE |
You will get this error when the token signature is not valid. Example: |
Congratulations! You can now authenticate any calls to your Drupal APIs using JWT-based authentication.
We hope you found this document useful and informative.
Contact our 24*7 support team
Feel free to reach out to our Drupal experts if you need any sort of assistance in setting up REST & JSON API Authentication on your Drupal site.
Back to topHelp improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
