Setup JWT Authentication in Drupal

The Drupal API Authentication module uses JSON Web Tokens (JWT) to securely authenticate API requests. First, your Drupal username and password are verified to generate a signed JWT token, which is then returned to the client. This token can be used to access Drupal APIs until it expires. JWT supports both HSA and RSA algorithms for signing and validation. This module is fully compatible with Drupal 8, Drupal 9, Drupal 10, and Drupal 11.

Download Schedule a Meeting

• Using Composer
• Using Drush
• Manual Installation

• Download the module:

  composer require 'drupal/rest_api_authentication'

• Navigate to Extend menu on your Drupal admin console and search for REST & JSON API Authentication using the search box.
• Enable the module by checking the checkbox and click on the Install button.
• You can configure the module at:

  {BaseURL}/admin/config/people/rest_api_authentication/auth_settings

• Install the module:

  drush en drupal/rest_api_authentication

• Clear the cache:

   drush cr

• You can configure the module at:

  {BaseURL}/admin/config/people/rest_api_authentication/auth_settings

Note: Manual Installation only compatible with Drupal 7, Drupal 8, and Drupal 9.

• Navigate to Extend menu on your Drupal admin console and click on Install new module.
• Install the Drupal miniOrange API Authentication module either by downloading the zip or from the URL of the package (tar/zip).
• Click on Enable newly added modules.
• Enable this module by checking the checkbox and click on install button.
• You can configure the module at:

  {BaseURL}/admin/config/people/rest_api_authentication/auth_settings

Pre-requisites:

• REST UI: This module provides a user-friendly interface to configure the REST module.
• Enable the following Web Services modules from the Extend section (/admin/modules) of your Drupal site:
• JSON:API
• REST UI
• RESTful Web Services
• Serialization

Enable API and Assign Methods:

• The first step is to enable the API and assign the methods and operations allowed for that API. This can be done using the REST UI module, or by directly modifying the Drupal config.
• Click on the Enable API button.
• To enable the API using the REST UI module, click the Configure button (as shown below).

• In our example, we need to enable the /entity/user API. To do this, click the Enable option in front of it.

• Since our goal is to create a user in Drupal, select the following configurations:
• Method: POST
• Format: JSON
• Authentication Provider: rest_api_authentication
• This allows the miniOrange API Authentication module to authenticate the API. Click the Save Configuration button to continue.

Configuration Steps

1. Setup JWT Authentication Method:

• In this step, we will set up JWT as the API authentication method. To do this, go to the API Authentication tab of the module (/admin/config/people/rest_api_authentication/auth_settings).
• Under Basic Configuration, enable the Enable Authentication toggle.
• Enter the Application Name and select JWT from the Authentication Method section.

• Scroll down to the JWT Configuration section on the same tab.
• In the Username Attribute field, enter the attribute name from the received JWT that contains the Drupal username.
• Select Signing Algorithm from the dropdown.
• Optional: Enter the desired expiry duration (in minutes) under Token Expiry Time.

For External JWT:

• JWKS URI: If you want to use an external JWT token, provide the JWKS URI to validate it in Drupal.
• Certificate/Secret Key: Provide a certificate if RS256 is selected, or a secret key if HS256 is selected.

Generate Custom Keys:



Note: You can enter the keys manually or generate keys. These keys will be used to sign and verify the JWT tokens.



• Private Key: Enter the private key for JWT, or generate a new key.
• Public Key: Enter the public key for JWT, or generate a new key.
• Click the Save Configuration button.



• You have successfully configured the JWT Authentication method.


Note: Use the application-specific unique header when authenticating the API.




• First of all, we have to make an API call to get a JWT. We will then use that token to authenticate Drupal API for creating a user.
• We can obtain the JWT by making a POST request containing the user’s Drupal Username and Password. You have to send the Username and Password in base64-encoded format. You can refer to the below request format for reference.

Request: POST <your_drupal_base_url>/rest_api/id_token

Header:  

            Accept:  application/json
            Authorization: Basic base64encoded <username:password;>
         

CURL Request Format-

            curl --location --request POST ' <your_drupal_base_url>/rest_api/id_token' \
            --header 'Accept: application/json' \
            --header 'Content-Type: application/json' \
            --header 'Authorization: Basic base64encoded <username:password>'

• You can also refer to the Postman request image shown below



• A successful response returns the JWT along with its token expiry. (please refer to the image below)




2. Example:

• For better understanding, let’s look at an example of using JWT Token to create a user in Drupal with the REST API.


Note: The /entity/user API in Drupal is used to create a new user.



• To create a user in Drupal, you need to make a POST request using the received JWT or External JWT as a Bearer token in the Authorization Header. Refer to the example below for making the call.

HTML Request Format-

Request: POST  <your_drupal_base_url>/entity/user?_format=json

Header:      
             AUTH-METHOD: application_id
             Accept: application/json
             Content-Type: application/json
             Authorization: Bearer received_JWT

Body: 

                {
                "name": {
                    "value": "<username>"
                },
                "mail": {
                    "value": "<email>"
                },
                "pass": {
                    "value": "<password>"
                },
                "status": {
                    "value": "1"
                }
                }

CURL Request Format-

curl --location --request POST  ‘<your_drupal_base_url>/entity/user?_format=json' \
                --header 'AUTH-METHOD: application_id' \
                --header 'Accept: application/json' \
                --header 'Content-Type: application/json' \
                --header 'Authorization: Authorization: Bearer <received_JWT>' \
                --data-raw '  

                {
                "name": [
                    { "value": "Username" }
                ],
                "mail": [
                    { "value": "email" }
                ],
                "pass": [
                    { "value": "Password" }
                ],
                "status": [
                    { "value": "1" }
                ]
                }

• You can also refer to the Postman request image shown below





• A successful response will return the details of the user you created (see the image below).




Congratulations! You have successfully set up the JWT Authentication method using the Drupal API Authentication module.

If the configuration was not successful, please contact us at drupalsupport@xecurify.com. Kindly include a screenshot of the error window, and we will assist you in resolving the issue and guide you through the setup.