Symmetric Key: a Shared Secret
The procedure for using a JWT in an embedded webpage solution:
1.Create a JWT with symmetric encryption. The JWT is based on (i) property–value information that you enter (called claims); and (ii) a random string (the shared secret).
2.Set up MobileTogether Server to verify the JWT that is sent from the webpage. You provide two pieces of information: (i) the secret that was used to generate the JWT; and (ii) the value of the Audience claim (which must be the same as that used to generate the JWT).
3.In the webpage, pass the JWT to the IFrame.
When the JWT is passed to the server, the server validates it by using the Audience information and the shared secret that you entered in the settings to generate the JWT.
The description uses the Online JWT Builder of Jamie Kurtz to run through the process of creating a JWT with a symmetric key (shared secret). It describes the claims (JSON property–value pairs) that are relevant for JWT use in the embedded webpage solutions of MobileTogether .
The standard claims (see screenshot below) make up the core claims:
•MobileTogether Server checks whether the time of server access lies inside the validity period of the JWT. So set the issuance and expiration times as appropriate.
•The Audience parameter is one of the settings you need to configure on MobileTogether Server . So specify the same value in both the Audience parameter here (when generating the JWT) and the MobileTogether Server Audience setting (see MobileTogether Server Settings below).
•The Subject parameter is where you specify the user that should be logged in to MobileTogether Server. If the user name that you enter here is a user that is registered with MobileTogether Server, then the login is carried out with the permissions that this user has. If the user name is not registered with MobileTogether Server, then this user is registered with MobileTogether Server and logged in; however, you will need to set permissions for this new user so that it can access the relevant workflow.
Symmetric key (or shared secret) for JWT
The key (or shared secret), together with the other data you enter, is used to generate the JWT. This secret will be used by MobileTogether Server to decrypt and authenticate the JWT that it receives from the webpage. So the secret is used for both encryption (of the JWT) and its decryption. When generating the JWT, you can specify any string you like as the shared secret. The same string must be entered as the MobileTogether Server Secret setting (see MobileTogether Server Settings below).
In the screenshot below, a 32-character-long secret is entered, and the encryption algorithm HS256 is selected. On clicking Create Signed JWT, the JWT is created and is displayed in the text box.
In the Settings tab of MobileTogether Server, you will need to enable JWT authentication (see screenshot below), and then enter two settings:
•Secret: This is the symmetric key (shared secret) that was used to create the JWT. With this information, the server will be able to verify the JWT. (If you are using asymmetric encryption, then, in this field, enter the public key of a private–public pair.)
•Audience: Enter the same string as that you entered for the Audience claim when creating the JWT.