User Authentication and Authorization
User authentication is commonly handled by the customer portal via username and password. Authorization is the process of giving the user permission to access a specific resource or function.
Auth0
If you do not already have a way of authenticating your users, you can enable the Auth0 Plugin to use Auth0 together with DynaMaker.
JSON Web Token
JSON Web Token (JWT) is an open, industry-standard RFC 7519 method for representing claims securely between two parties and is the recommended way of adding authorization to your deployed DynaMaker application. The jwt.io website is a great resource when working with JWTs.
Creating a token
When the user has successfully logged in to your user portal, you can create a signed JWT for that user. We recommend using a well-maintained library to create the token.
Token claims
{
// REQUIRED. Unique and persistent ID of the user.
"sub": "jane.doe@example.com",
// REQUIRED. Identifies the time at which the JWT was issued. A JSON numeric
// value representing the number of seconds from 1970-01-01T00:00:00Z UTC
// until the specified UTC date/time, ignoring leap seconds.
"iat": 1516239022,
// REQUIRED. Identifies the expiration time on after which the JWT MUST NOT
// be accepted for processing. A JSON numeric value representing the number
// of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC
// date/time, ignoring leap seconds.
"exp": 1516325422,
// OPTIONAL. Any other fields that you want to use.
"name": "Jane Doe",
"roles": ["manager", "my-custom-role"]
}
User roles
We use the roles
claim to assign application-level roles to the user. Currently, manager
is the only role used by
DynaMaker. When the user has the manager
role, they have access to other users' saved configurations within the
deployed application.
Signing the token
The JWT must be signed with HS256 (HMAC with SHA-256). It is a symmetric algorithm, which means that there is only one private key that must be kept secret, and it is shared between the two parties. Since the same key is used both to generate the signature and to validate it, care must be taken to ensure that the key is not compromised. You can create a secret from the settings modal in your app dashboard.
Example
// content
{
"sub": "employee@company.com",
"iat": 1516239022, // Thu Jan 18 2018 02:30:22 GMT+0100
"exp": 1516325422 // Fri Jan 19 2018 02:30:22 GMT+0100
}
// signed
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzb21lb25lQGNvbXBhbnkuY29tIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYzMjU0MjJ9.UmQEN8hJgKzmYhySSYUMyu2ngbvQC29gZ5lE_r55wJM
Using a token
To send the signed token to DynaMaker, include it as the URL parameter token
:
<iframe src="https://deployed.dynamaker.com/applications/<MY_PROJECT_ID>/?token=eyJhbGciOi..." />