Secure API with JWT PivotData Microservice Documentation

Microservice auth settings are specified in the appsettings.json file Auth section.

It is possible to secure microservice web API with JWT (JSON Web Token) authorization. To enable JWT auth configure the following section in microservice settings file:

  "Auth": {
    "Type": "jwt",
    "Jwt": {
      "ValidIssuer": "Test",
      "ValidateIssuer": true,
      "ValidateAudience": false,
      "ValidateLifetime": true,  // set to false if you use JWT that never expires
      "ValidateIssuerSigningKey": true,
      "IssuerSigningKeyString": "some_secure_key_value",
      "TokenDecryptionKeyString" : "jwt_encryption_key"  // optional

Important: ensure that your signing key is long enough. If you use SHA256 minimal key size is 16 bytes (SHA512 needs 32 bytes key).

You main web application should generate a valid JWT (with the same "Issuer" and "SigningKey") and pass it in Authorization HTTP header. The following js code snippet illustrates how to add this header for all ajax calls:

	headers: { 'Authorization': "Bearer " + jwt }

In some cases it is not possible to pass JWT with HTTP header and microservice also accepts it as POST form parameter __JwtAuthorization:

<form id="exportForm" method="POST" action="api/cube/SomeCubeId/pivot/export/excel">
	<input type="hidden" name="pvtReportJson" />
	<input type="hidden" name="__JwtAuthorization" />

Integration Example

JWT token generation in main web app is illustrated in the example that shipped with PivotData microservice package (see integration\AspNetMvcCore folder, .NET MVC Core app).