When the user has been successfully authenticated by the authentication module(s), the service must create a JWT and return it to the request issuer.
The token contains various information via attributes called claims.
Some are from the authentication module:
Name of claim |
Comment |
sub (subject) |
Contains the name of the authenticated user. |
claimName |
The LDAP authentication module associates an attribute value of the authenticated user with a claim name [claimName]. |
The token also contains information defined by the JwtProviderConfig object described in the /WEB-INF/beans.xml configuration file.
<bean id="jwtProviderConfig" class="com.hardis.jwtprovider.JwtProviderConfig">
<property name="jwtUserRoleClaim" value="roles"/>
<!-- iat | nbf | exp -->
<property name="jwtValidityTimeClaim" value="iat"/>
<!--property name="jwtTtl" value="3600"/-->
<property name="jwtIssuer" value="jwtProvider/hardis-group.com"/>
<property name="jwtPrefixId" value="TokenId_"/>
<property name="jwtAudienceKind" value="RscServers "/>
<property name="jwtAudience" value="http://hardis-group.com/apis;http://hardis.fr/apis"/>
<property name="jwtLoginModuleName" value="jwtLDAPLoginModule"/>
...
<bean>
Name of claim |
JwtProviderConfig (properties) |
iat : issued at exp : expiration time nbf : not before |
The jwtValidityTimeclaim property sets the predefined claim to be used to manage the token's validity time. By default: "iat". The jwtTtl property (in s; by default: 3600) calculates the value of exp or nbf claims based on the current time. Thus, for the claim: exp: the token expires from: current time + jwtTtl nbf: the token is valid from: current time + jwtTtl |
iss (issuer) |
The jwtIssuer property is used to enter the token issuer. By default: "jwtProvider/hardis-group.com" |
jti (JWT id) |
Token identifier. The jwtPrefixId property defines a prefix for the token identifier. The full ID is created by concatenating this prefix with the current Unix time. By default: "TokenId_" |
aud (audience) |
The jwtAudienceKind property defines the audience type to be checked. The possible values are:
For a 'RscServers'-type audience, the jwtAudience is used for entering (using the URL prefixes) the token recipient. |
roles |
The jwtUserRoleclaim property defines the name of the claimto use to store the authenticated user roles. By default: "roles". |
To finish token creation, it is digitally signed using an encryption key.
The same key is used by the resource server to validate the token signature.
The JWT returned by the service is represented in the form of a string with 3 parts: "A.B.C".
The '.' is the character separating each of the parts and each part is encoded in base64.
Example of JWT:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9 .eyJzdWIiOiJTVmlnbmVsbG8iLCJpc3MiOiJhdX
RoLmhhcmRpcy5jb20iLCJpYXQiOjE0NjU1NzI2MTksImF1ZCI6Imh0dHA6Ly9oYXJkaXMtZ3Jvd
XAuY29tIiwianRpIjoiVG9rZW5JZF8xNDY1NTcyNjIxIiwicm9sZXMiOlsidXNlciJdLCJzcGVj
Q2xhaW0xIjoiU2VyZ2UuVmlnbmVsbG9AaGFyZGlzLmZyIiwic3BlY0NsYWltMiI6IlNWaWduZWx
sbyJ9. SDmrfjIsnv04_SqxoQDCsvc5yclPSLF2FXkTmjj6klSCzPOb5ADpKTavFzh902Usf
-
9k0mhbW6zT4NeIQB3cxRKpL0iDT85eJwPucvycMzmQ2Fs4N6yxdJYJl0JQzMKTcnCVzdKGh
-
6V5FP25nfZaFyyMlBGCLj9ynudJSdgIw1MjnpZKEpek6Nk4Fgj0OrO1RIL1ULYVkYtwnFDPZbLL
PqQ7ulTRwLeUEEn5ZaDnfTXp8M0LM22SZOS_VRzH_WgEAnlv_GlaWRXq4ijFTm8TRpNu4cURB0A
dYZuBbTiR_a4K1b5X430WUr0CdfhLiYM
-eY2VsG7Ie0Jis1ZxuT6XA
The first part (in green) is the token header. It contains the predefined claims typ and alg. These have the respective values 'JWT' and 'HS256' (encryption algorithm).
Hence the header JSON { "typ": "JWT", "alg": "RS256"} encoded in base64 gives part A of the token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.
The second part (in blue) is the token body. It contains the predefined claims (sub, iss, iat or exp or nbf, jti, aud) and additional private claims (roles, etc.).
The third and final part (in orange) is the digital signature of the token calculated from the first and second parts (all encoded in base64) of the algorithm and the encryption key.
The VaToolBx function called VaToolBxAwsGetJWTClaim in a Visual Adelia Batch program (REST service) gets the value associated with a claim name of the JWT used to authenticate the user.