JSON Web Token

JSON Web Token

Using JSON Web token will make the Safran API depend on an Identify Platform such as the Microsoft Identity Platform or a Serverless Authentication.

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It is commonly used for authentication and information exchange

The Safran API authentication methods using JSON Web Token support the OAuth 2.0, which stands for “Open Authorization".

Setup

1. Internet Information Service (IIS) Manager
   1. The setup is similar to what is done for “No Authentication”.
      
      
2. Within the “application.json” file found in your file folder:
   1. Make sure that the “authentication mode” setting is set to “jsonwebtoken”.
      
      
3. In addition to the authentication type there is also an element “jsonwebtoken” this can hold 3 elements:
   1. “key”
      1. This is a key used to sign and encrypt the jsonwebtoken.
      2. This is unused when using an Identity Platform, it is required when “Not using Authorisation Server”
   2. “Issuerclaim”, “Issuer” or “iss”
      1. In the context of JSON Web Tokens (JWTs), the issuer claim (often abbreviated as “iss”) serves two main purposes:
         1. Identification of the Issuer: The “iss” claim is a string that identifies the principal (entity) that issued the JWT. This can be a human user, an organization, or a service. For example, if a user logs in and receives a JWT, the issuer would be the authentication service or server that generated the token.
         2. Preventing Token Abuse: By including the issuer information, JWTs can prevent abuse. When a service receives a JWT, it can verify the issuer to ensure that the token was indeed issued by a trusted party. This helps prevent unauthorized tokens from being accepted.
      2. In summary, the “iss” claim provides basic context about the JWT’s origin and helps maintain security and trust in token-based authentication systems.
      3. This setting could be left blank, but that is not recommended.
   3. “Audienceclaim” or “aud”
      1. In the context of JSON Web Tokens (JWTs), the audience clain (often abbreviated as “aud”) serves two main purposes:
         1. Recipient Identification: The “aud” claim identifies the recipients for which the JWT is intended. It specifies who should process the token. For example, if your application receives a JWT, it can check the “aud” claim to ensure that it was indeed intended for this API and not another one.
         2. Preventing Token Abuse: By including the “aud” claim, JWTs prevent abuse. If an attacker tries to reuse a token meant for a different audience, the recipient (this API) can reject it based on the mismatched “aud” value.
      2. In summary, the “aud” claim helps maintain security and ensures that tokens are used only by their intended recipients.

Example, AppSetting

  "AppSettings": {
    "SafranWebApiAuthenticationType": "jsonwebtoken",

    "jsonwebtoken": {
      "key": "ThisIsMySecretKey2749C6AE486C6E783BBADF7F33333",
      "iss": "This is my issuer",
      "aud": "Safran Integration API"
    }
  },