Bearer Authentication

This topic explains setting up Bearer authentication that supports the OpenID Connect protocol.

Background

OpenID Connect is a protocol for authentication and is supported by various identity providers. When configured, PI Web API supports access tokens in the Authentication header of a request that provides claims based on the identity configured with the provider. The configured UPN claim is used to obtain a Windows identity using the Claims to Windows Token Service (C2WTS) that is setup on the PI Web API server. The Windows identity is then used as with the other authentication protocols to control access to the AF and Data Archive servers.

Clients provide an access token either from a browser using hybrid code flow or from a server using resource owner code flow. When making requests an authorization header is added in similar manner as Basic authentication. This is an example of a browser based call using an already obtained access token:

    var url = "https://localhost/piwebapi/system/userinfo";
    var xhr = new XMLHttpRequest();
    xhr.open("GET", url);
    xhr.onload = function () {
        log(xhr.status, JSON.parse(xhr.responseText));
    }
    xhr.setRequestHeader("Authorization", "Bearer " + user.access_token);
    xhr.send();

More information about OpenID Connect can be found here:

A JavaScript client library for OpenID Connect can be found here:

Access tokens that are JWT that contain the embedded claims are supported by enabling a flag. Otherwise the access token is used to call the UserInfo endpoint to get the set of user claims.

Support for identity providers that do not support CORS for metadata

When using an identity provider that cannot be configured with CORS to return metadata for browser based calls, PI Web API can act as a relay to get the configuration and jwks information from the identity provider. The browser can obtain these by configuring the BearerIssuer setting.

Configuration Settings

By default, Bearer authentication is disabled in PI Web API. To use, the Claims To Windows Token Service must be started and configured on the PI Web API server. To enable Bearer authentication or change authentication settings, choose one of the following actions:

The following Bearer authentication configuration items are available in PI Web API:

Enabling Operational Intelligence