How to create restapi.session_key programatically without user password as parameter ?

Hi all,

we have connected our own eIdP solution ( Lithium Professional Services extended the existing Lithium SSO plugin ) which works fine.

The problem:

As the user password is no longer stored in Lithium but in the eIdP, we cannot use the default API  ( /restapi/vc/authentication/sessions/login) to create restapi.session_key in order to do API calls with the scope of the user. Always creating custom endpoints to create topics on behalf of the user is not the ideal world and not all API methods can handle stuff always on behalf of the user.

As we have a custom SSO it is also not possible to use the default accesstoken concept of Lithium, which is the corrrect solution to do API calls without having user password locally stored in Lithium.

Solution idea:

Our own eIdP is also using accesstoken based on JWT.

The idea is to create a custom endpoint (similar to the default /restapi/vc/authentication/sessions/login), but instead of using the user.password parameter we would use the JWT token (which contains all relevant user information encrypted as JWT token) to get an valid user based restapi.session_key.

Challenges and questions:

- the first question to you guys is whether there is a API or li freemarker method to create restapi.session_key or what kind alternatives can be used ?

- is there an already available freemarker library within Lithium to decrypt JWT token ?

Thank you for your time and help in advance...