Question

What are the requirements for JSON (JWT) authentication?

Answer

1. JWT needs to be sent to the Application Server using a POST request by the following URL:

   http://<ApplicationServer>/Flexicapture12/Server/jwt

   In the case of working with tenants, the identifier ?Tenant=MyTenantName should be added to the Application Server URL:

   http://<ApplicationServer>/Flexicapture12/Server/jwt?Tenant=MyTenantName

2. Сhoose any service you like for creating a login depending on your preference. For more details on how to get the authentication data, see the documentation of the third-party service. For example, the OneLogin service offers ready-made toolkits for several development languages.
3. Example of JSON data:

   {"alg":"RS256","kid":"-JLCtyyTyF69AZrtjpk-xGs-nUE","x5t":"-JLCtyyTyF69AZrtjpk-xGs-nUE","typ":"JWT"}.
   
   {"nameid":"user","nbf":1572267172,"exp":1572267772,"iss":"ABBYY","aud":"test JWT app"}

4. There are no conditions on the signature of the certificate and who generated it imposed, but policies can be set in the operating system. For example, the certificate must be signed by a publisher from Trusted Roots.
5. The certificate is used to verify the JWT signature. A certificate that is suitable for digital signatures is needed, i.e. it has a "digital signature" in the "Key Usage" field.
6. FlexiCapture doesn't need any JWT fields for authentication. It validates that it came from a trusted source. To do this, it checks its signature.
7. If the authentication is successful, then authorization goes next. The "nameid" parameter is used for authorization, considering its value as login.
8. A link to the project with a code example can be found at the very end of this article.
9. Methods to use SAML and JWT SSO described in FlexiCapture 12 Online Help currently cannot be used in iFrame. Currently, Auth Ticket cannot be used to load an iFrame.