Help

Jamf Pro API Bearer Token Woes

ajanicke
New Contributor III

Posted on ‎12-01-2023 12:07 PM

This might be more of a rant than anything.

I've spent my day just simply trying to get a script together for our Cart devices to rename the devices to the Bar Code 1 value since those don't change through restores and would enable my techs to just restore the device and put it back in the cart. Zero touch beyond actually restoring the device.

For completionist sake I did get it to work fully as expected!

Come to find out the bearer token you need to generate only lasts for 30 minutes meaning that hard coded credentials either get passed via the script or in the $4 $5 fields.

I kind of get the idea behind only having a 30 minute token but you really can't make it any longer? For instance doing the restores on the carts only take about 2 or 3 days. I can't just set it for 5 days then just regen a new token every summer?

Am I just looking at this the wrong way?

0 Kudos
6 REPLIES 6

sdagley
Esteemed Contributor II

Posted on ‎12-01-2023 01:19 PM

@ajanicke You should take a look at the new Client Credentials mechanism for accessing the Jamf Pro API that was added in JSS 10.49: https://developer.jamf.com/jamf-pro/docs/client-credentials

0 Kudos

ajanicke
New Contributor III
In response to sdagley

Posted on ‎12-04-2023 05:36 AM

Unfortunately we're still on 10.44 but reading through it seems it's the same situation where you only get "short lived access token" instead of real access that can be used for production purposes. Seems the API is used more for running really in depth reports due to the time out of the access token and constantly having to refresh it.

0 Kudos

AJPinto
Honored Contributor II

Posted on ‎12-04-2023 06:00 AM

If I am not mistaken if you are still on prem you can change the token time out in the JAMF configuration files. We moved to cloud some time back, so I'm not sure if this is still current information.

0 Kudos

ajanicke
New Contributor III
In response to AJPinto

Posted on ‎12-04-2023 06:29 AM

Now that could be what I need. I'll take a look if I can find it. I think we're going to try to upgrade to 11 over the summer if time permits.

0 Kudos

B_Hanson
New Contributor III
New Contributor III
In response to ajanicke

Posted on ‎12-04-2023 02:41 PM

The token itself should be short-lived and expired after each use, but the credentials that generate the token don't really change unless you change them/regenerate (ie, how an API secret or credential should behave). So rather than using a temporary (by design) "Bearer Token", use API clients and secrets to create your on-demand Bearer Token. The Bearer Token is meant to be session specific, you're supposed to get a new one for every session/API request.

0 Kudos

B_Hanson
New Contributor III
New Contributor III
In response to B_Hanson

Posted on ‎12-04-2023 02:51 PM

Oh, and even if you haven't upgraded your Jamf server, you can still create an "API user" with only the permissions it needs, like' we've been doing for years. It's username and password are not dissimilar from the new "Clients and secrets", they both give you credentials for generating your Bearer Token. It's just the new stuff gives you a better way to manage API clients, and generates randomized secrets that you can revoke, expire, etc. But it's conceptually the same stuff as far as encoding them as bas64 and using them in your cURL calls to get your session tokens.

0 Kudos