Plone.restapi JWT authentication with a third-party PAS plugin

I wonder if the JWT authentication of Plone is supposed to work with third-party PAS plugin.
In our case, we have a plugin to authenticate against a third-party system which works under normal usage with Plone. However, I can use the JWT auth of plone.restapi only with native Plone accounts but not with accounts that are managed by our own PAS plugin.

As far as I can tell (testing in Postman, against a home-grown plugin talking to an authentication source that makes a request to an OAuth endpoint and gets a response back):

  • @login endpoint works with a custom plugin providing IAuthenticationPlugin
  • regardless of where jwt_auth is in order of authentication, it works with the Bearer token I received in the response from @login, giving

(this was tested in an integration of Plone 6.1.0a5; I tried this with source_users disabled, and GET requests using Bearer authorization where an authenticated user was required to get anything but a 403; cookies in Postman were disabled).

I'm guessing there may be corner-cases where this could get stuck, might be worth attempt to pdb breakpoint inside both extractCredentials and authenticateCredentials of plone.restapi.pas.plugin.JWTAuthenticationPlugin.

Edit: to clarify, my authentication source does not use ephemeral users (there is a 1:1 stored user for each user in the external source), so there may be some assumption in PAS where YMMV versus the scenario I described.

Thanks.

I got it working with a few changes to login.py. The logic implemented for finding the related plugin for authentication does not directly match our setup but a customized version does the job for us.