Authorization
The web service endpoints of the webPDF SOAP API are not protected in the default installation, i.e. anonymous access to the endpoints is possible.
To protect the endpoints, i.e. to be able to use them only with authorization, this must be enabled in the configuration. To do this, anonymous access is disabled in the Admin Portal in the configuration. In this case, the SOAP web services can only be used with user authentication or an external OAuth2 provider.
The authorization by the user authentication takes place on the basis of the configured user source of the server and the local authorization. For each call of the SOAP web services, the credentials (user credentials) must be passed in the Authorization header of the SOAP request as basic authentication (RFC 7617).
Example: Authorization: Basic YWRtaW46YWRtaW4=
Alternatively, authorization by an external OAuth2 provider can also be used. This must be configured via the Admin Portal under "Server -> OAuth". An access token issued by the OAuth2 provider can then be used to authorize the SOAP web services. The access token is then passed in the "Authorization" header as "Bearer: [Access token]".
Example: Authorization: Bearer eyJraWQiOiJyb3ZZTFQ4TXgwcTd1WW1i ... CO2TLHCiQCsuMf-1Vw
The request for the access token must be handled by the client application. The server only validates the token of the OAuth2 provider based on the configuration.
If SOAP web services authorization is enabled and invalid data is passed in the "Authorization" header, then this will result in the error message "401 Unauthorized" when calling a SOAP web service.
Token format
Access tokens originating from external OAuth providers and understood by the server must be "JSON Web Token" (JWT).
The access tokens must be digitally signed, i.e. they must be available as "JSON Web Signature" (JWS) tokens. The signature must be based on RSA cryptography (consisting of a public and private key).