JSON Web Token
Last Updated: 21 Jun 2021
Overview
The JSON Web Token (JWT) extension is a Matrix package that lets you generate dynamic JSON Web Tokens (JWTs) from Matrix. The tokens can be used to integrate with third-party services and platforms that implement JWT authentication.
The JWTs created by the extension are signed using a secret and are encoded using the HMAC SHA256 standard.
Prerequisites
Read the following prerequisites and information before installing and using the JSON Web Token Extension.
Key package information
Supported Matrix version | 5.5.0.0 |
|---|---|
Extension type | Matrix package |
| Extension version | 1.0.1 |
Installation method |
|
Asset category | Connectors |
Asset name | JSON Web Token |
Asset availability | Admin mode only |
| Minimum user account level | System Administrator |
JWT implementation
Read this section if you need to cross-check how the JWT implementation compares to a third-party JWT implementation.
Signing | Supported: HMAC SHA256 Not supported: RSA or ECDSA |
|---|---|
Encryption | Not supported |
Payload visibility | Signed (publicly visible) All payload information is visible in the payload when decoded. Do not put sensitive information such as passwords in the payload. |
Installing the extension
This extension is installed using the Matrix package installation process.
See Matrix Packages for installation instructions.
Using the extension
The JWT asset type is available through the Matrix Admin interface.
Before you set up a JWT, you need to understand the three configuration items the asset requires:
- Secret
- Payload
- Expiry Time
Make sure you have the required information for each configuration item prior to setting up a JWT asset in Matrix.
Secret
The secret is a shared key issued and used by the third-party service to verify that the token header and payload are authentic.
Check the third-party integration documentation for instructions on obtaining the correct secret.
Payload
Do not include sensitive information in the payload. The payload is signed using a shared secret but is not encrypted. Anyone can check the contents of the payload.
The payload sets the entity claims that get encoded within the token.
Entity claims are most commonly user credentials that the third-party service needs as part of the request.
The payload you send will vary based on the service you are integrating with, but will almost certainly use one or more JWT public claims as documented on the IANA.org website.
Payloads use a standard JSON body with claims declared as key-value pairs.
{
"sub": "1234567890",
"name": "John Smith",
"admin": true
}
In this example, sub is a registered claim, name is a public claim, and admin is a private claim specific to a third-party service.
Get the correct payload from the third-party service you are integrating with.
Expiry Time
The expiry time is used to populate the registered claim portion of the payload, specifically the exp value.
While you can leave the expiry time blank (unlimited expiry), this is not good JWT security practice.
A value between five and 15 minutes is generally recommended.
The third-party service you are integrating with may also recommend an expiry time, which you should honour in your configuration.
Creating a JWT asset
You can create a JWT asset anywhere in the asset tree. The location you select determines the web path from which the token is available.
Follow these steps to create a JWT asset for authenticating to a third-party service:
- In the Matrix Admin view, select the asset you want to create the JWT asset beneath.
- Click New Child > Connectors > JSON Web Token to create the asset, and configure the name and link type.
- In the Secret field, supply the third-party service’s JWT secret.
- In the Payload field, specify the JSON claims required by the third-party service. For example:
{
"sub": "%globals_user_attribute_username^json_encode%",
"given_name": "%globals_user_attribute_first_name^json_encode%",
"family_name": "%globals_user_attribute_last_name^json_encode%",
"admin": %asset_has_write_access^eq:1:true:false%
} - In the Expiry Time field, specify an expiry time for the token.
Requesting the JWT
You can retrieve the generated JSON Web Token by sending an HTTP request to the web path of the JSON Web Token Asset. Responses include a Content-Type of 'application/jwt' and an appropriate HTTP Code.
| HTTP Code | Reason | Value |
|---|---|---|
| 200 | A valid response from an authenticated user, that returns a valid generated JWT. | The JWT |
| 500 | The JWT could not be generated due to a configuration error in the JSON Web Token Asset. | Empty string |
| 403 | Failed to authenticate the user details. | Empty string |
Testing the JWT asset
You can test whether the token is working correctly by testing it with a service like the jwt.io debugger.
- Right-click on the JWT asset and select Preview In New Window.
- Copy the JWT string displayed on the asset’s webpage.
- Visit the jwt.io debugger and decode the token.
- Verify the decoded token matches the configuration in Matrix.
Managing the extension
You can manage versions of this extension by upgrading or uninstalling the package.
Upgrading
This extension is upgraded using the Matrix package upgrade process.
See Matrix Packages for upgrade instructions.
Uninstalling
To uninstall this extension, you need to have both Matrix system administrator and command-line access to your Matrix instance.
- Log in to Matrix as a system administrator and access admin mode.
- Move all JSON Web Token assets in your Matrix instance to the Trash.
- Purge any trashed JSON Web Token assets from the Trash.
- Follow the regular package uninstallation steps described in Matrix Packages.
Additional Resources
- https://jwt.io/introduction/ for a condensed overview of JWTs.
- https://tools.ietf.org/html/rfc7519 for the official JWT standard.