The user signs into Metrici. They havigate to a controller page that either embeds the SPA in an iframe or which redirects to the SPA. The SPA is passed information about the controller page from which it was passed.
Standard scripts within the SPA call a web service associated with the controller page to retrieve a JWT. This uses the Metrici web session to authenticate the user and prevent an additional sign in, a method known as "silent authentication". The web service builds appropriate configuration and permission information for the user, and calls a JSON web token manager (see Security library) to authenticate and authorize the user.
The JWT passed back to the SPA can be used to secure calls back to the SPA's application server. The JWT contains configuration and permission information, allowing the SPA's application server to process requests from the SPA accordingly.
The SPA can call Metrici web services. These web services will be authenticated using the Metrici web session, and do not require a JWT. These calls and the call to get JWT call use a hidden iframe to manage the connections to the Metrici session. The calls to Metrici are managed by a Session object which can also control navigation back to a sign in page when the user's session signs out.
JWTs are short-lived and are refreshed when required. When the user navigates away from the page, the JWT is removed from the browser's memory. If the user signs out of Metrici, no further JWTs are issued and any existing JWTs will quickly expire. Any further attempts to access Metrici, for example to refresh the JWT, will force the user to sign back in again.