JWT authentication

JSON Web Token (JWT) is an open standard for secure transmission of information between two parties as a JavaScript Object Notation (JSON) object. JWT is used for authentication and authorization. Because JWT enables single sign-on (SSO), it minimizes the number of times a user has to log on to cloud applications and websites.

JWT structure

A JWT consists of three parts: a header, a payload, and a signature.

Header

The header usually consists of two parts: type (typ) and algorithm (alg). The algorithm is used to generate the signature.

Example:  

{

"typ": "JWT",

"alg": "RS256"

}

RS256 indicates that RS256 - RSA signature with SHA256 is used to sign this token.

Payload

The payload is a JSON object that consists of the claims that you want to make. Claims are statements about an entity (usually the user) and additional metadata. You must have either an email attribute, or the domain and name attributes defined.

Example:  

{

"email":"jde@company.com",

"exp": 1472034208

}

Example:  

{

"name":"jde",

"domain":"company",

"exp": 1472034208

}

Signature

The signature is used to verify the identity of the JWT sender and to ensure that the message has not been tampered with. The signature is the encoded header and payload, signed with a secret key. In the normal case, X.509 certificates are used to generate and validate the signature.

Authentication is performed by verifying the signature. If the signature is valid, access is granted.

Supported signature algorithms

The following signatures are supported in Qlik NPrinting:

  • RS256 - RSA signature with SHA256

  • RS384 - RSA signature with SHA384

  • RS512 - RSA signature with SHA512

Example: Accessing Qlik NPrinting with a signed JWT

The following example shows the steps involved in gaining access using a signed JWT.

  1. A JWT is generated, including a set of claims, and is signed with the private key for the configured certificate.

  2. A request is sent to the proxy including the signed JWT in the HTTP Authorization header.

  3. The proxy injects the configured attribute mappings and forwards the call to the backend service.

  4. The client will receive a session and subsequent calls are not required to include a JWT.

    1. If the calls do include a JWT it will be validated, and if it is invalid the user will be rejected access.
    2. If the user in the JWT is different from the user stored for the session, the user will obtain a new session.

Standard fields

The following fields inside a JWT claim are used by Qlik NPrinting:

  • Expiration time (exp): identifies the expiration time after which the JWT is not accepted.
  • Not before (nbf): identifies the starting time on which the JWT is accepted.
Note: You can have other fields configured in your JWT token, however only those listed above are considered by Qlik NPrinting.

Limitations

The following limitations exist:

  • Encrypted JWTs are not supported.

  • Only the following signing algorithms are supported:

    • RS256 - RSA signature with SHA256

    • RS384 - RSA signature with SHA384

    • RS512 - RSA signature with SHA512

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?