Products Downloads


French version


Comparaison des versions

Ancienne version 1

changes.mady.by.user Administrateur HardisForge

Sauvegardée le

comparé à

Nouvelle version Actuel

changes.mady.by.user Karine Saulgeot

Sauvegardée le

Légende

  • Ces lignes ont été ajoutées. Ce mot a été ajouté.
  • Ces lignes ont été supprimées. Ce mot a été supprimé.
  • La mise en forme a été modifiée.

...

When the user has been successfully authenticated by the authentication module(s), the service must create a JWT and return it to the request issuer.

 


The token contains various information via attributes called claims.

Some are from the authentication module:

Hardis - Tableau personnalisé
alternateColorsfalse
firstLineHeadertrue
noBorderfalse

Name of claim

Comment

sub (subject)

Contains the name of the authenticated user.

claimName

The LDAP authentication module associates an attribute value of the authenticated user with a claim name [claimName].


 

 

The token also contains information defined by the JwtProviderConfig object described in the /WEB-INF/beans.xml configuration file.

Bloc de code
<bean id="jwtProviderConfig" class="com.hardis.jwtprovider.JwtProviderConfig">
     <property name="jwtUserRoleClaim"      value="roles"/>
      <!-- iat | nbf | exp -->      
      <property name="jwtValidityTimeClaim"  value="iat"/>
      <!--property name="jwtTtl"                value="3600"/-->      
      <property name="jwtIssuer"             value="jwtProvider/hardis-group.com"/>
      <property name="jwtPrefixId"           value="TokenId_"/>
      <property name="jwtAudienceKind"       value="RscServers "/>
      <property name="jwtAudience"           value="http://hardis-group.com/apis;http://hardis.fr/apis"/>
      <property name="jwtLoginModuleName"    value="jwtLDAPLoginModule"/>
      ...
<bean>
Hardis - Tableau personnalisé
alternateColorsfalse
firstLineHeadertrue
noBorderfalse

Name of claim

JwtProviderConfig (properties)

iat : issued at

exp : expiration time

nbf : not before

The jwtValidityTimeclaim property sets the predefined claim to be used to manage the token's validity time.

By default: "iat".

...


The jwtTtl property (in s; by default: 3600) calculates the value of exp or nbf claims based on the current time.

Thus, for the claim:

exp: the token expires from: current time + jwtTtl

nbf: the token is valid from: current time + jwtTtl

iss (issuer)

The jwtIssuer property is used to enter the token issuer.

By default: "jwtProvider/hardis-group.com"

jti (JWT id)

Token identifier.

The jwtPrefixId property defines a prefix for the token identifier.

The full ID is created by concatenating this prefix with the current Unix time.

By default: "TokenId_"

aud (audience)

The jwtAudienceKind property defines the audience type to be checked. The possible values are:

  • None : there is no audience.
  • RscServers : resource servers
  • IPHost : a client accessing the resource server identical to the one that issued the token request.

For a 'RscServers'-type audience, the jwtAudience is used for entering (using the URL prefixes) the token recipient.

roles

The jwtUserRoleclaim property defines the name of the claimto use to store the authenticated user roles.

By default: "roles".

...



 

To finish token creation, it is digitally signed using an encryption key.

...

The '.' is the character separating each of the parts and each part is encoded in base64. 


Example of JWT:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9 .eyJzdWIiOiJTVmlnbmVsbG8iLCJpc3MiOiJhdX

RoLmhhcmRpcy5jb20iLCJpYXQiOjE0NjU1NzI2MTksImF1ZCI6Imh0dHA6Ly9oYXJkaXMtZ3Jvd

XAuY29tIiwianRpIjoiVG9rZW5JZF8xNDY1NTcyNjIxIiwicm9sZXMiOlsidXNlciJdLCJzcGVj

Q2xhaW0xIjoiU2VyZ2UuVmlnbmVsbG9AaGFyZGlzLmZyIiwic3BlY0NsYWltMiI6IlNWaWduZWx

sbyJ9. SDmrfjIsnv04_SqxoQDCsvc5yclPSLF2FXkTmjj6klSCzPOb5ADpKTavFzh902Usf

-

9k0mhbW6zT4NeIQB3cxRKpL0iDT85eJwPucvycMzmQ2Fs4N6yxdJYJl0JQzMKTcnCVzdKGh

-

6V5FP25nfZaFyyMlBGCLj9ynudJSdgIw1MjnpZKEpek6Nk4Fgj0OrO1RIL1ULYVkYtwnFDPZbLL

PqQ7ulTRwLeUEEn5ZaDnfTXp8M0LM22SZOS_VRzH_WgEAnlv_GlaWRXq4ijFTm8TRpNu4cURB0A

dYZuBbTiR_a4K1b5X430WUr0CdfhLiYM

-eY2VsG7Ie0Jis1ZxuT6XA

...


The first part (in green) is the token header. It contains the predefined claims typ and alg. These have the respective values 'JWT' and 'HS256' (encryption algorithm). 


Hence the header JSON { "typ": "JWT", "alg": "RS256"} encoded in base64 gives part A of the token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9. 


The second part (in blue) is the token body. It contains the predefined claims (sub, iss, iat or exp or nbf, jti, aud) and additional private claims (roles, etc.). 


The third and final part (in orange) is the digital signature of the token calculated from the first and second parts (all encoded in base64) of the algorithm and the encryption key.

...


The VaToolBx function called VaToolBxAwsGetJWTClaim in a Visual Adelia Batch program (REST service) gets the value associated with a claim name of the JWT used to authenticate the user.

...