Domino uses the OpenID Connect (OIDC) protocol to generate user-specific JWT tokens, or Domino Tokens. Domino securely signs this Domino token and makes it available in your Workspace, Job, App, Scheduled Job, or Launcher. You can use it to authenticate to third-party resources or data sources. Additionally, this token can be used to authenticate with the Domino API.
Because the token is short-lived and Domino automatically refreshes it, an example of when you can use it is if you want to limit a user’s access to a data source exclusively from Domino. This has security advantages over provisioning long-lived keys that can be used anywhere or by anyone.
To disable this feature, your administrator must add the central configuration key com.cerebro.domino.auth.refreshTokenInRun.enabled
and set it to false
.
They must restart services for the changes to take effect.
This does not require downtime.
Workspaces, Jobs, Apps, Scheduled Jobs, and Launchers have a Domino Token for the user.
This is at path /var/lib/domino/home/.api/token
.
This is indicated by environment variable DOMINO_TOKEN_FILE
.
By default, the Domino Token expires at five minutes, but is automatically refreshed throughout your workspace or job.
For example, from a workspace, you can authenticate to one of the Domino APIs with the following:
TOKEN=`cat $DOMINO_TOKEN_FILE`
curl -H "Authorization: Bearer $TOKEN" $DOMINO_API_HOST/v4/users/self
Each system will have different steps for configuration but will likely require that you enter Domino’s JWKS endpoint which is
<Domino URL>/auth/realms/DominoRealm/protocol/openid-connect/certs>
.
For offline services, retrieve and record the JWKS data to use offline with your library.
Alternatively, you can use the public key or certificate which can be found at <Domino URL>/auth/realms/DominoRealm
.
See JSON Web Key Sets to learn more about JWKS.
By default, the Domino Token contains standard claims like name, username, and email, but you add mappers in the domino-play
client in Keycloak to include additional custom claims.
This can be useful if you intend to set up bounded claims in the system to which you are integrating.
For example, you might want to only authorize users with a specific organization claim or any other SAML assertion that flows into Domino from your Identity Provider.
See JWT.io for information about decoding and inspecting the content of a JWT token.