JWT Provider
The JWT Provider feature allows you to configure an external application as an Identity Provider (IDP) using JSON Web Tokens (JWT). This is especially useful if your preferred login source is unavailable in LoginRadius’ default social login network list or if you are integrating a proprietary app that supports JWT.
LoginRadius acts as the Service Provider (SP), and your application (supporting JWT) acts as the Identity Provider (IDP).
Use Cases
-
Support is available for proprietary or third-party identity providers that issue JWT tokens.
-
Enable login for apps unavailable in the default LoginRadius social login provider list.
-
Allow customers from an external JWT-based system to access your LoginRadius-enabled application.
How It Works
The JWT login flow allows users to authenticate through your JWT-compatible Identity Provider. Once authenticated, a token is shared with LoginRadius for verification, enabling seamless access.
-
The user clicks the JWT login icon on the LoginRadius-enabled application.
-
They are redirected to your JWT IDP's login page (e.g.,
https://www.jwtlogin.com/login). -
If already authenticated, the user skips login. Otherwise, they enter their credentials.
-
After successful authentication, the IDP redirects the user to LoginRadius with a JWT token:
https://{appname}.hub.loginradius.com/access/jwt?jwttoken=<JWT_TOKEN>
-
LoginRadius validates the token:
-
If valid and the user exists, the user is logged in and redirected with an access token.
-
If it is not valid or the user doesn't exist, they are redirected to:
-
https://{appname}.hub.loginradius.com/access/jwt/error
Note: LoginRadius supports query string and POST method for JWT token delivery.
The following image displays the functional flowchart for the JWT login:
JWT Login UI Behavior
The JWT login UI behaves like a standard social login. When "Include In Social Schema" is enabled during JWT configuration, a login icon appears alongside other social providers on the LoginRadius V2.js login interface.
JWT Provider Setup in Console
| Configuration Item | Details |
|---|---|
| Access JWT Provider Configuration | Log in to your Admin Console, navigate to Platform Configuration > Authentication Configuration > Custom IDPs, and select JWT Provider. |
| Add Provider | Click the Add Provider button to launch the JWT configuration form. |
| Provider Name | Enter a unique name that appears on LoginRadius IDX and V2.js forms. Validation Rules:
|
| Signing Algorithm | Choose the algorithm used by your IDP to sign JWTs:HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512 |
| Key or JWKS Endpoint | Depending on the algorithm:
|
| Clock Skew (Optional) | Adjust time drift by adding/subtracting time from the server clock for validating token lifetime. Use integers for values. |
| Expiration Time Difference (Optional) | Modify the exp claim lifespan tolerance. Increases or decreases the accepted expiration window for JWT processing. |
| Token Query Parameter Name (Optional) | Define the name of the query parameter used to pass the JWT token. |
| Login URL (Optional) | Specify the URL to redirect users for IDP login. Example: https://www.jwtlogin.com/login |
| Required Parameters (Optional) | Toggle one or more:
|
| Auto Lookup (Optional) | When enabled, define a domain to trigger automatic redirection to the IDP if the user's email matches. Note: This hides the provider from the social schema. |
| Issuer Validation (Optional) | Verify the iss claim:
|
| Audience Validation (Optional) | Validate the aud claim:
|
| Data Mapping | Define JWT → LoginRadius field mappings: Mapping Example: LoginRadius: ID → JWT: id- ID mapping is required - Enable Update Email Profile to sync values from JWT payload |
| Include in Social Schema | Enable to display this JWT provider icon in LoginRadius IDX or V2.js social login forms. |
Once your JWT Provider is configured, consider reviewing these resources to enhance your integration and customization further: