Skip to main content

JWT Login Flow

JSON Web Token (JWT) is a widely adopted SSO (Single Sign-On) method commonly used in B2C applications. It enables secure, stateless authentication between LoginRadius (as the Identity Provider) and your application (as the Service Provider). JWTs are compact, self-contained, and digitally signed, ensuring the integrity and authenticity of their information.

LoginRadius supports JWT-based authentication, offering flexibility in token generation methods and full control over the payload through the Admin Console.

Key Features

  • Secure Transmission: Digitally signed JWTs ensure trusted communication.
  • Multiple Encryption Algorithms:
    • HMAC: HS256, HS384, HS512
    • RSA: RS256, RS384, RS512
    • ECDSA: ES256, ES384, ES512
  • Customizable Payload: Map any LoginRadius normalized user profile fields.
  • Flexible Integration: Choose from JavaScript-based forms, APIs, or redirect-based SSO.

Configuration

To set up JWT Login with LoginRadius, you must configure a few essential options, including encryption algorithms and payload mapping in the LoginRadius Admin Console under Integration > SSO Integrations > JWT. For full setup instructions and advanced configurations, refer to the following documentation.

Integration Guide

Three methods of implementing the JWT Login Flows are shown below.

API-Generated JWT Tokens

This flow is ideal for implementing custom login forms or integrating Single Sign-On (SSO) within your web properties. It works well when you need to generate a JWT token via the API via an email, username, phone number, or password.

The following APIs facilitate JWT token generation based on different parameters:

Upon successful authentication, these APIs return a JWT token and are ideal for custom authentication flows or server-side applications.

JavaScript Forms Integration

This method enables you to utilize all standard LoginRadius JavaScript interfaces. Upon completing a Login or Social Login action, you will receive a JWT token instead of an Access token.

Follow these steps to obtain a JWT token using the JavaScript interfaces:

  1. Set up the Standard Login or Social Login Forms based on this document.

  2. Add the following parameters to your initialization Object in the option.js file or the function LoginRadiusV2JsLoaded() as below.

    commonOptions.tokenType = "jwt";
    commonOptions.integrationName = "<JWT App Name>";

    NOTE:

    • TokenType: Token type represents the type of token used in the workflow, and for JWT implementation, it will be jwt.
    • IntegrationName: IntegrationName denotes the configured App in the Integrations > SSO Integrations section.

    For Example:

    <script type='text/javascript'>
        if (typeof LoginRadiusV2 === 'undefined') {
            var e = document.createElement('script');
            e.src = 'https://auth.lrcontent2.com/v2/js/LoginRadiusV2.js';
            e.type = 'text/javascript';
            document.getElementsByTagName("head")[0].appendChild(e);
        }
        var lrloadInterval = setInterval(function () {
            if (typeof LoginRadiusV2 != 'undefined') {
                clearInterval(lrloadInterval);
                LoginRadiusV2JsLoaded();
            }
        }, 100);
        function LoginRadiusV2JsLoaded() {
            var commonOptions = {};
            commonOptions.apiKey = "<your loginradius api key>";
            commonOptions.hashTemplate= true;
            commonOptions.tokenType = "jwt";
            commonOptions.integrationName = "<App Name>";
            commonOptions.sott ="<Get_Sott>";
        commonOptions.verificationUrl = window.location;//Change as per requirement
            var LRObject= new LoginRadiusV2(commonOptions);
        }
    </script>

  3. You will receive a standard response containing the access token, user profile, and JWT token.

    {
        "profile": { <Normalized User Profile> },
        "access_token": "<ACCESS Token>",
        "expires_in": "<Time Stamp>",
        "jwttoken": "<JWT Token Response>"
    }

Redirect-Based Single Sign-On (SSO)

A delegated redirect Single Sign-On (SSO) flow is also supported, allowing you to redirect users to the LoginRadius Hosted Pages. Here, users can perform various account actions such as login, registration, password recovery, etc. Upon successfully logging in - whether through traditional or social login—the user will be redirected based on a predefined parameter, along with the JWT token for the authentication session.

More details on this flow can be found in this document.

Best Practices

  • Use RS256 or ES256 for stronger security over symmetric algorithms.
  • Keep your integrationName unique per application for better traceability.
  • Customize your JWT payload to include only essential user data.