Configure and use your organization’s custom OAuth 2 applications using JWT flow
In order to integrate with Workfront and allow your client app to communicate with Workfront on behalf of the user, you must:
- Create an OAuth2 application
- Create a Public Key Certificate
- Create a JSON Web Token (JWT)
Create an OAuth2 Application
For instructions on creating the OAuth2 application, see Create an OAuth2 application using server authentication (JWT flow) in Create OAuth2 applications for Workfront integrations
Create a Public Key Certificate
The JWT must be signed and base-64 encoded for inclusion in the access request. The JWT libraries provide functions to perform these tasks.
The token must be signed using the private key for a digital signing certificate. If you do so, you can use the private key of any associated certificate to sign your JWT.
The algorithm used is RS256Â (RSA Signature with SHA-256). This is an asymmetric algorithm, and it uses a public/private key pair. The identity provider has a private (secret) key used to generate the signature, and the consumer of the JWT gets a public key to validate the signature.
To generate the public key, do one of the following.
-
Open your MacOS/Linux terminal and execute the following command, then upload
certificate_pub.crt
using the Add public key button in the OAuth2 application setup in Workfront.code language-none openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout private.key -out certificate_pub.crt
-
Use the Generate a public/private keypair button in the OAuth2 application setup in Workfront to generate the RSA.
Create a JSON Web Token
A JSON Web Token for Service Account authentication requires a particular set of claims, and must be signed using a valid digital signing certificate. We recommend that you use one of the publicly available libraries or tools for building your JWT.
The following table contains information about fields that may be required when you are configuring the JWT token.
Exchange the JWT to retrieve an access token
-
Send a POST request to:
code language-none https://yourdomain.my.workfront.com/integrations/oauth2/api/v1/jwt/exchange
-
The body of the request should contain URL-encoded parameters with your Client ID, Client Secret, and JWT:
code language-none client_id={client_id_value}&client_secret={client_secret_value}&jwt_token={base64_encoded_JWT}