Navigation :

JWT

The JWT login module supports validation of user information via a secured JWT token.

Applications that utilize JWT tokens from external authentication providers may pass JWT tokens as a part of the call to the __status endpoint. These JWT tokens will be validated and decoded as the basis for the user session.

Subsequent calls to __status without the presence of a token will return standard __status dataset session information.

Example:

<jarvis>
    <app>
        <login module="Jarvis::Login::JWT">
            <parameter name="token_type"            value="rfc7519"/>
            <parameter name="token_path"            value="token"/>
            <parameter name="token_source"          value="uri"/>
            <parameter name="validate_token"        value="1"/>
            <parameter name="validation_key"        value="/etc/jarvis/signing_public_key"/>
            <parameter name="validation_algorithms" value="HS256"/>
            <parameter name="username_key"          value="username"/>
            <parameter name="external_user_id_key"  value="username"/>
            <parameter name="groups_key"            value="group"/>
            <parameter name="expiry_key"            value="timestamp"/>
       </login>
       ...

Attribute	Default	Notes
`token_type`	`rfc7519`	The expected type of JWT token when performing decoding. Currently only tokens encoded using https://datatracker.ietf.org/doc/html/rfc7519 are supported.
`token_path`	`token`	The name of either the URI parameter or POST data parameter to expect the JWT token to be provided within when invoking `__status`.
`token_source`	`uri`	The source location which should be used to fetch the inbound JWT information. Supports both `uri` and `body` sources.
`validate_token`	`0`	Whether or not to validate the JWT token before attempting to decode the contents. It is not recommended to disable validation in a production environment. This will allow bad actors to pass in hand crafted JWT tokens and bypass security restrictions.
`validation_key`	(none)	The file path of the public key used to perform validation on the JWT payload. This public key should be the public key generated by the authentication provider that signed the JWT token.
`validation_algorithms`	(none)	The encryption algorithm that was used to sign JWT tokens from the authentication provider.
`username_key`	`username`	The property inside the JWT token that will map to the internal Jarvis username session property.
`external_user_id_key`	`username`	The property inside the JWT token that will map to the internal Jarvis external user ID session property.
`groups_key`	`group`	The property inside the JWT token that will be parsed to build the internal Jarvis session group information.
`expiry_key`	`timestamp`	The property inside the JWT token that will be used to during validation to determine if the JWT is still valid.