JAWA icon indicating copy to clipboard operation
JAWA copied to clipboard
verified publisher icon jamf

HTTP Basic authentication is deprecated in the Jamf Classic API

Open UniversalSuperBox opened this issue 3 years ago • 0 comments

According to Basic Authentication - Classic API Authentication Changes on the Jamf API documentation, HTTP Basic authentication to the Classic API is deprecated and could be removed from Jamf as early as August.

There appear to be a couple of places where JAWA uses Basic authentication:

https://github.com/jamf/JAWA/blob/fbfdaf17b4f2d1370a92f396a2df927bcf1681e7/views/jamf_webhook.py#L383-L390

https://github.com/jamf/JAWA/blob/fbfdaf17b4f2d1370a92f396a2df927bcf1681e7/views/webhook_view.py#L49-L53

For JAMF versions >=10.35.0, JAWA can use a bearer token instead. The login route should be changed to post to /v1/auth/token. The generated token and its expiry time can be stored in the client-side session cookie (which is how the username and password are stored right now). The wrinkle, then, is getting JAWA to renew the token when needed. Either on every request or when the token is close to expiring, request /v1/auth/keep-alive to get a new token and store it in the cookie.

UniversalSuperBox avatar May 09 '22 14:05 UniversalSuperBox