For services hosted behind an IMSG, nothing needs to be done. The IMSG does already support access tokens. The IMSG will take care of validating the access token and create a service token, just as if the API was accessed with an ID token.
Authentication means being sure of who the caller is
The steps required to ensure an access token is valid are the following:
Ensure ntt
(Naviga Token Type) claim in the access token payload equals access_token
Read the kid
(key id) from the access token header.
Fetch the corresponding public key from https://imas.stage.imid.infomaker.io/v1/jwks
for stage env or https://imas.imid.infomaker.io/v1/jwks
for production env.
Ensure alg
(algorithm) in the access token header is identical to the key's alg
Use a suitable library for your language to validate the access-token signature using the key
Check that current time is less than exp
in access token payload.
It's important that server clock is synchronized, if not, the application might accept tokens that have expired.
The keys published on /jwks
can, and should, be cached for up to 10 min in the application.
Note, a token with a kid
that does not exist in a cached /jwks
might still be a valid token. It might be that a new key has been published but not yet fetched by the application. For that reason, the application should re-fetch the /jwks
(once) if an unknown kid
appears.
Similarly, a key might be revoked at any time, so never cache /jwks
for more than 10min. If /jwks
is cached for a longer period of time, tokens with invalidated kid
/signature can appear to be valid when they are not.
Authorization means knowing what actions the caller is allowed to do
Permissions are included as described by the payload below. Permission strings are on the format service_name:permission_name
. Permissions in the permissions.org
array should are valid in all units while permissions in permissions.units[unit_name]
array is only valid in that specific unit.
More information about Naviga ID's permission model can be found on the authorization schema page.
The Access Token payload is as follows: