Skip to main content

User Authentication and Authorization

User authentication is commonly handled by the customer portal via username and password. Authorization is the process of giving the user permission to access a specific resource or function.

Auth0

If you do not already have a way of authenticating your users, you can enable the Auth0 Plugin to use Auth0 together with DynaMaker.

JSON Web Token

JSON Web Token (JWT) is an open, industry-standard RFC 7519 method for representing claims securely between two parties and is the recommended way of adding authorization to your deployed DynaMaker application. The jwt.io website is a great resource when working with JWTs.

Creating a token

When the user has successfully logged in to your user portal, you can create a signed JWT for that user. We recommend using a well-maintained library to create the token.

Token claims

{
// REQUIRED. Unique and persistent ID of the user.
"sub": "77e62e94-b416-4497-816d-0f9fa740c51b",

// REQUIRED. Identifies the time at which the JWT was issued. A JSON numeric
// value representing the number of seconds from 1970-01-01T00:00:00Z UTC
// until the specified UTC date/time, ignoring leap seconds.
"iat": 1516239022,

// REQUIRED. Identifies the expiration time on after which the JWT MUST NOT
// be accepted for processing. A JSON numeric value representing the number
// of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC
// date/time, ignoring leap seconds.
"exp": 1516325422,

// OPTIONAL. Read about the "role" claim in the following section.
"role": "user",

// OPTIONAL. If you want to add other fields to your JWT, we recommend
// wrapping them in an object with the property name "custom", to avoid any
// potential conflicts with DynaMaker fields.
"custom": {
"organizationId": "IPaCb28MH",
}
}

User role

We use the role claim to assign an application-level role to the user.

  • The user role enables saving and loading of configurations within the deployed application.
  • The manager role gives access to other users' saved configurations within the deployed application.

Signing the token

The JWT must be signed with HS256 (HMAC with SHA-256). It is a symmetric algorithm, which means that there is only one private key that must be kept secret, and it is shared between the two parties. Since the same key is used both to generate the signature and to validate it, care must be taken to ensure that the key is not compromised. You can create a secret from the settings modal in your app dashboard.

Example

// content
{
"sub": "77e62e94-b416-4497-816d-0f9fa740c51b",
"iat": 1516239022, // Thu Jan 18 2018 02:30:22 GMT+0100
"exp": 1516325422 // Fri Jan 19 2018 02:30:22 GMT+0100
}

// signed
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI3N2U2MmU5NC1iNDE2LTQ0OTctODE2ZC0wZjlmYTc0MGM1MWIiLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTUxNjMyNTQyMn0.B34FmQuKeksLFrtudQxrn6OwQBwCYeUb1KgWG5q85kA

Using a token

To send the signed token to DynaMaker, include it as the URL parameter token:

<iframe src="https://deployed.dynamaker.com/applications/<MY_PROJECT_ID>/?token=eyJhbGciOi..."></iframe>