The developer account credentials are used with custom applications, such as the User Sync Tool, created using the Developer Console. Under the current JWT model, certificates must be updated regularly. Adobe is moving to the OAuth model, which won't require these updates, and will facilitate more security features, such as automated credential cycling.
With this coming change, which is a server-to-server option, custom applications using JWT certificates don't have to re-create the certificate in the Developer Console.
As per the official documentation, all JWT integrations will continue to work until 1 January 2025. In addition, the console will continue to support the creation of new JWT integrations until May 1, 2024.
No immediate action is required. The 18-month timeline is as follows:
|
MAY 1, 2023 - APR 30, 2024 |
MAY 1, 2024 - DEC 31, 2024 |
JAN 1, 2025 (END OF LIFE) |
---|---|---|---|
Existing applications using a Service Account (JWT) credential. |
Existing applications using the Service Account (JWT) credential will continue to work. |
Existing applications using the Service Account (JWT) credential will continue to work. |
Existing applications cannot refresh expiring certificates after Jan 1, 2025, and will stop working. |
New applications creating a Service Account (JWT) credential |
A new Service Account (JWT) credential can be added to the project. |
A new Service Account (JWT) credential can't be created or added to the project. |
A new Service Account (JWT) credential can't be created or added to the project. |
OAuth2 data flow
The OAuth 2.0 credentials flow permits an application or API Client to use its own credentials instead of impersonating a user to authenticate when calling the Adobe APIs. The value of this is that when the developer leaves the organization, the application or integration will continue to work.
The Application/API-Client authenticates with the Adobe Identity Management Services using a specific ClientID and Client Secret. Once authenticated, the Adobe IMS Services return a bearer token to the client, which can then be used to access the Adobe API. This type of data flow is commonly used for server-to-server interactions that must run in the background without immediate interaction with a user. It's often referred to as daemons or service accounts.
Here's how the credential flow works:
-
Application sends the application’s credentials to the Adobe IMS Authorization Server.
-
Adobe IMS Authorization Server validates the application’s credentials.
-
Adobe IMS Authorization Server responds with an access/bearer token.
-
The application uses the OAuth2 bearer token to call the Adobe API on behalf of itself.
-
Adobe API responds with requested data.
Applications and services to be migrated
Before migrating, ensure that your applications will support the new OAuth model. The User Sync Tool is the most common application currently supporting JWT that must be migrated. Support for OAuth Server-to-Server will be supported in the next UST release (v2.9.0).
Other applications and services supporting JWT that will be migrated are:
PDF Services API | I/O Management API | AEM Brand Portal | Content Tagging - Creative Cloud Automation Services |
User Management API | Auto Crop | Content AI (Beta) | Photoshop - Creative Cloud Automation Services |
Adobe Target | Auto Tag | Cloud Manager | Lightroom - Creative Cloud Automation Services |
Adobe Campaign | Body Crop | Automated Forms Conversion | Adobe Photoshop API |
Experience Platform API | Color Swatch | Admin SDK - Insights API | Customer Journey Analytics |
Smart Content | Image Cutout | Asset Compute | 3D Automation - 3D&AR Services |
Adobe Stock | Image Quality | Commerce Partner API | Adobe Acrobat Sign |
I/O Events | Privacy Service API | Audience Manager API | Primetime Ad Insertion |
Experience Platform Launch API | Places | Journey Orchestration | Experience Cloud Setup Automation |
Adobe Analytics | Task Queue Manager | Remove Background - Creative Cloud Automation Services | Adobe Journey Optimizer |
Assurance API | Adobe Status API | AEM Forms - Communications | Adobe I/O Events for Adobe Commerce |
Additional questions may be answered in the Developer Forums.
Again, nothing needs to be done today. You've until May 1, 2024, before new applications will be required to use the OAuth model, so it would be best to start your migration when it is convenient for your development timeline.