Third Party Authentication Using JWT Tokens

By Binoy Chemmagate on September 29, 2016
read

In the beginning of the year we published a Third-party Authentication Proposal to solicit feedback from the community for an enhanced security framework. Based on the feedback, we chose the mechanism using JWT (JSON Web Tokens). We recently released the new authentication to a few selected customers and now release it to everyone.

With this release callstats.io offers two types of authentication:

  • origin URL whitelisting (basic authentication) and
  • third-party authentication based on JSON Web Tokens (JWT).

The pros and cons of the basic authentication are covered here, and we will continue to support the basic authentication. Whereas, the JWT framework is based on a public/private key. The developers provide callstats.io with the public key and have to generate tokens for their users, which callstats.io validates. This provides higher level of security, however, requires implementing a token generator.

JWT will provide security in two areas, authentication and information exchange.

  1. Authentication: Once the user is authenticated, the subsequent transactions contain a JWT, which contains authorization and access control information.
  2. Information exchange: The information can be signed using private key. The signature is calculated by combining the header and the payload, that implies the data is not tampered.

Here is the diagram explaining the transaction between a WebRTC endpoint and callstats.io. You need to create a shared secret or share a public key using the callstats.io dashboard.

 

Third-party authentication using JWT

Third-party authentication using JWT

Breakdown of JWT tokens

A JWT token looks likes this:

uiyiuyJ0eddfdAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiiuioyoyLA0KICJleHAiOjEzMDA4MTkzODAsDQogIhghjgHA6Ly9leyuyffjhgg0Ijp0cnVlfQ.dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWF

 

Even though it looks quite a messy string, it has three parts separated by dots (“.”).

The first part is a header which tells you the type and algorithm used:

 

{ "typ":"JWT", "alg":"HS256" }

 

The second part is the claims body and in our case it shows

{
"userID":"4358",
"appID":"545619706",
"keyID":"0123456789abcedf00",
"iat":1465221382,
"nbf":1465221682,
"exp":1465221682,
"jti":"25b30fb33a7764d2971534507718f35274bb"
}

The third part shows the cryptographic signature:

7418dfb49799e0254f981f762b6eee85b509535a75affc16d6015614e1235e

For more details about the implementation please check: callstats.io/api/#third-party-authentication. If you have any questions or comments redarding the JWT framework, send them to support[at]callstats.io.


Tags: callstats.io, WebRTC Monitoring