JWT Login

JSON Web Token (JWT) is an open standard (RFC 7519) that enables secure, self-contained transmission of authentication and authorization information between parties as a JSON object. JWTs are digitally signed, ensuring data integrity and security. This makes JWT an ideal solution for Single Sign-On (SSO) in B2C applications, allowing users to authenticate once and gain seamless access to multiple platforms without repeated logins.

Federated SSO using JWT offers significant advantages for businesses that:

• Enable Seamless Access: JWT facilitates Single Sign-On (SSO) by allowing users to authenticate once and gain access to multiple applications without the need to re-authenticate. This improves user experience and streamlines interactions across various platforms.
• Enhance Security: JWT ensures the integrity of authentication data through digital signatures (commonly using algorithms like HS256 or RS256). This guarantees that the token has not been tampered with. For additional security, encryption methods such as JSON Web Encryption (JWE) can be used to protect sensitive information within the token.
• Support Custom Integrations: JWT is widely supported by third-party service providers (SPs) and identity providers, making it a versatile choice for custom business integrations. Platforms like LoginRadius and other CIAM solutions can easily leverage JWT for seamless authentication and authorization processes.
• Ensure Scalability: JWT provides a stateless and lightweight authentication method that is highly scalable for high-traffic applications. Since the tokens do not require server-side session storage, they are well-suited for distributed systems and microservices architectures.

• E-Commerce Platforms: Online retailers can implement JWT-based SSO to provide a seamless shopping experience. Users can log in once and access multiple store sections (e.g., customer accounts, order history, and loyalty programs) without repeated authentication.

• Media & Entertainment: Streaming services can use JWT authentication to allow subscribers to switch between devices (e.g., mobile, web, smart TVs) while maintaining their session without requiring multiple logins.

• Online Learning Portals: Educational platforms can use JWT-based SSO to enable students to access multiple learning resources, assessments, and discussion forums seamlessly after a single authentication event.

The following workflow illustrates the JWT-based SSO process between LoginRadius as the Identity Provider (IdP) and a third-party Service Provider (SP):

1. User Request Initiation:
   • The user attempts to access a protected resource within the Service Provider (SP) application.
2. Authentication Request:
   • The SP redirects the user to LoginRadius (Identity Provider, IdP) for authentication.
3. User Authentication:
   • The user authenticates using their credentials, including social login, email/password, or enterprise SSO.
   • LoginRadius verifies the user’s identity and processes the authentication request.
4. JWT Issuance:
   • Upon successful authentication, LoginRadius generates a JWT containing the user's claims (e.g., user ID, roles, and permissions).
   • The JWT is digitally signed using the configured algorithm (e.g., HS256 or RS256) to ensure integrity and authenticity.
5. Response Relay:
   • The JWT is sent to the service provider (SP) for verification. The signed JWT is returned to the SP via browser redirect or backchannel communication.
6. Resource Access:
   • The SP verifies the JWT's signature using the shared secret or public key.
   • The SP extracts the claims from the JWT and authorizes the user based on the provided information.
   • If validation is successful, access to the requested resource will be granted.

This workflow, which ensures security and leverages the LoginRadius platform as a middleware for efficient authentication processes, is a testament to the platform's robustness. Below is the visual representation of this flow:

LoginRadius supports various encryption algorithms for JWT-based authentication, ensuring security and compatibility with different implementations. The supported algorithms include:

• HS256, HS384, HS512
  • RS256, RS384, RS512
  • ES256, ES384, ES512

A JWT consists of three parts: Header, Payload, and Signature. These elements are encoded separately and concatenated using periods (.) to form a complete JWT token.

1. Header: Specifies metadata about the token and the encryption algorithm used.

   {
   "alg": "HS256",
   "typ": "JWT"
   }

2. Payload: Contains user claims and attributes configured in the LoginRadius Admin Console.

   
   {
   
   "iss": "https://lrSiteName.hub.loginradius.com/",
   "sub": "{uid}",
   "jti": "unique string",
   "iat": 1573849217,
   "nbf": 1573849217,
   "exp": 1573849817,
   "Key1": "value1",
   "Key2": "value2"
   
   }

3. Signature: This component ensures the token's integrity using a secret or public/private key pair, providing an additional layer of security.

1. Navigate to the LoginRadius Admin Console under Authentication > SSO integration Interface. There, you can configure and manage your JWT-based SSO providers.
   Refer to the relevant document for detailed guidance on managing existing federated SSO providers.

For detailed implementation steps, refer to the following resources:

• JWT Implementation via LoginRadius API: Provides API endpoints and integration steps for configuring JWT authentication.
• JWT Implementation via Hosted page: Guides users on integrating JWT authentication with the hosted page for a seamless user experience

• Pre-Built Connections
• Single Sign-On
• Federated SSO