-
Notifications
You must be signed in to change notification settings - Fork 0
JSON Web Token (JWT)
All digi.me OAuth related requests sent to the authorization server from the third party context are signed with the consumers RSA private key and transmitted in JSON Web Token (JWT) format; the authorization server verifies the JWT using the consumers RSA public key (derived from contract).
All digi.me OAuth related responses sent from the authorization server to the third party are signed with the services RSA private key (via Azure HSM Key Vault) and transmitted in JSON Web Token (JWT) format; the third party context (SDK recommended) verifies the JWT using the services RSA public key (reference embedded within the JWT header).
A JWT in its compact form is simply a string in the format below suitable for HTTP transport.
Base64UrlEncode(header).Base64UrlEncode(payload).Base64UrlEncode(signature)
It consists of three parts separated by dots (.), these are:
Header
The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used. In digi.me, we use the PS512 algorithm.
Payload
The payload contains the claims, claims are statements about an entity (typically, the user) and additional data
Signature
The signature is a digitally signed version of the encoded header + payload using a HMAC or public/private key pair. In digi.me, we require JWTs to be signed using the consumer's RSA private key for the contract.
{
"header": {
"alg": "PS512",
"typ": "JWT"
},
"payload": {
"access_token": <access_token>,
"client_id": <appId_contractId>,
"nonce": <^[a-zA-Z0-9]{32}$>,
"redirect_uri": <registered_redirect_uri>,
"session_key": <session_key>,
"timestamp": <current_unix_time>
},
"signature": <signed_with_consumers_private_key>
}