Add a JWT
The DAS Embed Map Component accepts an access token inside the jwttoken property. Requests are validated by comparing the request Origin with the signature validation of the JWT.
To validate the signature of the token, DAS requires access to a JWKS JSON file as discussed in prerequisites and for the JWT to be signed using the same RSA private key.
Claims for Access Tokens
Access tokens are used to grant limited access to protected resources on behalf of a user or system. They need specific claims to ensure secure and proper functionality. While not all claims are required by the JWT specification, we recommend (and require, in some cases) at least the following registered claims:
| Claim | Type | Required | Description | Example |
|---|---|---|---|---|
iss | StringOrURI | No | Identifies the authorization server or entity that issued the token. | "https://auth.yourdomain.com" |
sub | URI | Required if Origin is not unique | Identifies the DAS Embed account. | "https://embed.dasintel.io/#abc" |
aud | URI, or Array of StringOrURI | No | If specified, it must include https://embed.dasintel.io | "https://embed.dasintel.io" or[ "https://embed.dasintel.io", ... ] |
jti | String | No | A unique identifier for the token. | "00112233-4455-6677-8899-aabbccddeeff" |
scope | String | No | List of space-separated permissions. Valid permissions are: view, edit, and create. All permissions are granted if scope is empty or missing. To enable view-only mode set scope to "view". | "view edit create", "view edit", "view create", "view", ... |
Generate and Sign JWT Access Token
Here's an example of how to generate and sign an access token in TypeScript using Jose library. This example demonstrates using already generated RSA private key. If the private key is stored in a PEM format, you can import it using the jose library's importPKCS8 method., It also includes signing the JWT with the RS256 algorithm, and including the necessary claims.
import { SignJWT, importPKCS8 } from 'jose';
import { KeyLike } from "crypto";
// Example of an existing private key in PEM format
const PRIVATE_KEY_PEM = `
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASC...
-----END PRIVATE KEY-----
`;
// Function to import the existing private key
async function getPrivateKey() {
return await importPKCS8(PRIVATE_KEY_PEM, 'RS256');
}
// Function to generate the access token
async function generateAccessToken(privateKey: KeyLike): Promise<string> {
const claims = {
iss: 'https://auth.yourdoamin.com', // Issuer
sub: 'https://embed.dasintel.io/#abc', // Subject
aud: 'https://embed.dasintel.io', // Audience
exp: Math.floor(Date.now() / 1000) + 3600, // Expiration Time (1 hour)
iat: Math.floor(Date.now() / 1000), // Issued At
scope: "view" // Scope
};
const token = await new SignJWT(claims)
.setProtectedHeader({ alg: 'RS256' })
.sign(privateKey);
return token;
}
For more details on generating and signing a JWT token, refer to the SignJWT documentation on GitHub. This resource provides in-depth guidance on creating and signing JWTs, including examples for configuring payloads, headers, and using the RS256 algorithm for secure token generation.
Add Signed JWT Token to DAS Map Component
// Function to dynamically set the jwttoken property
async function setJWTToDASMap() {
try {
// Get the private key
const privateKey = await getPrivateKey();
// Generate the JWT token
const token = await generateAccessToken(privateKey);
// Set the token to the das-map component
const dasMap = document.getElementById("das-map") as HTMLElement;
dasMap.setAttribute("jwt-token", token);
console.log("JWT Token set directly on das-map component:", token);
} catch (error) {
console.error("Error generating or setting JWT Token:", error);
}
}
Any request to retrieve an existing farm or create a new one without a JWT will result in a 401 HTTP response code.