Working with Feide JWT tokens#

When a data source has been created and the appropriate access levels/scopes have been configured in the Customer Portal, the service or API providing the data will need to work with the JWT tokens issued by Feide. The format and contents of the tokens can be found in the reference docs.

The service/API will then need a way to perform the following:

  1. Receiving the token

  2. Valdating the token

  3. Perform authorization based on claims

This can be done in several ways, including using a combination of these:

Receiving the token#

The way in which the token is received is dependent on the needs of the service/API. A typical way would be for the clients to send the JWT token as a Bearer token in the Authorization header in the request:

GET /resource HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI...

Validating the token#

The service/API must validate the access token. In particular, iss has to be and aud has to match the ID of the corresponding, registered data source prefixed by

See the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens for full details about JWT access token validation. Furthermore, the token is only valid if the current time is in the interval between the iat and exp timestamps.

Performing authorization#

At this stage, the service/API has access to all the claims from the token, and can use any combination of them as needed to authorize the request. The scope claim will contain one or more of the registered access levels for the data source.