Using the JWT

The main use of the JWT is to authenticate calls back to the SPA application server, and to authorize what the user can do.

Pass the JWT as a Bearer token, i.e. the request should have an Authorization header with the following format:

Bearer ...token...

The SPA application server must validate this token against the public key paired with the private key used to generate the JWT. This public key is available within the Metrici application, and can be copied into a configuration file or similar on the application server.

If the SPA is only ever to be used for one organisation, and there is only one instance of the Metrici application, then the application server only needs to use a single key.

However, if there may be more than one instance of the Metrici application, and these may be used by different organisations, then each organisation must have its own key pair. In this case, the application server must determine for which instance it is being run, and pick a key appropriately. Typically, an identifier for an instance would be passed as part of the call to the application server, and this can be used to look up an appropriate key.

Once validated, the application server can use the payload of the JWT to discover the user identity and configuration options, as set by the SPA controller.

It may be that the SPA also uses information encoded into the JWT payload to configure the SPA UI, for example to give administrative users more options. The logic for this may be within the SPA, rather than the application server.

In these cases, the SPA should consider whether it needs to validate the JWT before using it within the SPA, to guard against invalid JWTs. In general, if the JWT is only being used to alter the appearance of the UI, but not confer any rights to access data or perform updates, validation would not be necessary. If, however, the SPA does use the JWT to confer data access or update rights, then validation must be performed. This can be achieved by calling the application server to validate the JWT.

In a simple scenario with only one instance and one key, you can use the Verify JWT service on Metrici to validate the key from the SPA.