Working with Feide JWT tokens

When a data source has been created and the appropriate access levels/scopes have been configured in the Customer Portal, the service or API providing the data will need to work with the JWT tokens issued by Feide. The format and contents of the tokens can be found in the reference docs.

The service/API will then need a way to perform the following:

1. Receiving the token

2. Valdating the token

3. Perform authorization based on claims

This can be done in several ways, including using a combination of these:

• Using a proxy or API gateway with JWT support, some examples:

  • Google API Gateway

  • Amazon API Gateway

  • Gravitee

  • Nginx+

• Using suitable middleware

• Application code

Receiving the token

The way in which the token is received is dependent on the needs of the service/API. A typical way would be for the clients to send the JWT token as a Bearer token in the Authorization header in the request:

GET /resource HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI...

Validating the token

The service/API must validate the access token. In particular, iss has to be https://auth.dataporten.no and aud has to match the ID of the corresponding, registered data source prefixed by https://n.feide.no/datasources/.

See the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens for full details about JWT access token validation. Furthermore, the token is only valid if the current time is in the interval between the iat and exp timestamps.

Performing authorization

At this stage, the service/API has access to all the claims from the token, and can use any combination of them as needed to authorize the request. The scope claim will contain one or more of the registered access levels for the data source.