Add a JWT
The DAS Embed Map Component accepts an access token inside the jwttoken property. Requests are validated by comparing the request Origin with the signature validation of the JWT.
To validate the signature of the token, DAS requires access to a JWKS JSON file as discussed in prerequisites and for the JWT to be signed using the same RSA private key.
In a JWT (JSON Web Token), no claims are strictly compulsory according to the specification, but certain claims are highly recommended and often required depending on the use case and security needs.
In our case, we require an access token. Access tokens are used to grant limited access to protected resources on behalf of a user or system. They need specific claims to ensure secure and proper functionality. While not all claims are technically required by the JWT specification, the following are typically considered essential for access tokens:
Recommended Claims for Access Tokens
| Claims | Description | Purpose | Example |
|---|---|---|---|
iss | Identifies the authorization server or entity that issued the token. | Ensures the token comes from a trusted source. | auth.yourdomain.com |
aud | Identifies the resource server(s) the token is intended for. | Ensures the token is only accepted by the intended recipient(s). | api.yourdomain.com |
exp | Indicates when the token will expire, in seconds since the epoch. | Limits the token’s validity to reduce the risk of misuse. | 1700000000 |
nbf | Specifies the time before which the token is not valid. | Prevents the token from being used before a specific time. | 1690000000 |
iat | Specifies the time the token was issued, in seconds since the epoch. | Allows the recipient to validate the token’s freshness. | 1690000000 |
sub | Identifies the principal (user or entity) on whose behalf the token is issued. | Indicates who the token represents. | user123 |
jti | A unique identifier for the token. | Prevents replay attacks by identifying tokens individually. | unique-token-id |
Generate and Sign JWT Access Token
Here's an example of how to generate and sign an access token in TypeScript using Jose library. This example demonstrates using already generated RSA private key. If the private key is stored in a PEM format, you can import it using the jose library's importPKCS8 method., It also includes signing the JWT with the RS256 algorithm, and including the necessary claims.
import { SignJWT, importPKCS8 } from 'jose';
import { KeyLike } from "crypto";
// Example of an existing private key in PEM format
const PRIVATE_KEY_PEM = `
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASC...
-----END PRIVATE KEY-----
`;
// Function to import the existing private key
async function getPrivateKey() {
return await importPKCS8(PRIVATE_KEY_PEM, 'RS256');
}
// Function to generate the access token
async function generateAccessToken(privateKey: KeyLike): Promise<string> {
const claims = {
iss: 'auth.example.com', // Issuer
sub: 'user123', // Subject
aud: 'api.example.com', // Audience
exp: Math.floor(Date.now() / 1000) + 3600, // Expiration Time (1 hour)
iat: Math.floor(Date.now() / 1000), // Issued At
};
const token = await new SignJWT(claims)
.setProtectedHeader({ alg: 'RS256' })
.sign(privateKey);
return token;
}
For more details on generating and signing a JWT token, refer to the SignJWT documentation on GitHub. This resource provides in-depth guidance on creating and signing JWTs, including examples for configuring payloads, headers, and using the RS256 algorithm for secure token generation.
Embed Signed JWT Token into DAS Map Component
// Function to dynamically set the jwttoken property
async function setJWTToDASMap() {
try {
// Get the private key
const privateKey = await getPrivateKey();
// Generate the JWT token
const token = await generateAccessToken(privateKey);
// Set the token to the das-map component
const dasMap = document.getElementById("das-map") as HTMLElement;
dasMap.setAttribute("jwttoken", token);
console.log("JWT Token set directly on das-map component:", token);
} catch (error) {
console.error("Error generating or setting JWT Token:", error);
}
}
Any request to retrieve an existing farm or create a new one without a JWT will result in a 401 HTTP response code.