Copyright ©
Mindbreeze GmbH, A-4020 Linz, 2024.
All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.
These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services, and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.
For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.
JSON Web Tokens (JWTs) can be used to provide secure authentication and authorization for web applications and services. When a user logs in to an application, they are issued a JWT, which contains information about their identity and permissions. This token can be sent to the client service via an Authorization: Bearer header. The client service uses a JSON Web Key (JWK) to verify the JWT and extract the identity. By integrating Mindbreeze InSpire with JWT authentication, users can securely access content and services within the platform.
For the configuration of JWT in Mindbreeze InSpire the following data is necessary:
You find the configuration of JWT in the MMC Configuration in the tab “Client Service” in section
„JWT Authentication Settings“:
Activate "Enable JWT Authentication".
In the text field "JWK JSON" insert the content of the JSON downloaded in the “Preparation” section.
As an alternative to the "JWK JSON" option, you can use the "JWK URI" option to specify a file URI pointing to a JWK file in the file system of the appliance, e.g. file:///data/jwks-cognito.json or /data/jwks-cognito.json. To do this, create the JSON file (e.g. /data/jwks-cognito.json) in the Management Center (MMC) in "File Manager", "Local Filesystem" and paste the contents of the JSON downloaded in section "Preparation".
Note: Changes in the configured "JWK JSON" file are effective immediately; thus, a restart of the client service is not necessary.
Then add the following "Required Claims Patterns“:
Then configure the "JWT Identity Claim Name" setting. This determines which claim is used for the identity in the Mindbreeze InSpire search. (e.g: cognito:username )
If there are additional claims that should be used as principals in the Mindbreeze search, configure them in "JWT Principal Claim Names". The principal claims can be single values or an array of values.
If the header "Authorization: Bearer {{token}}" is not included in the request, an attempt will be made to log the user on with a different authentication method, if any is configured. For example, SAML can be configured to be the fallback authentication method.
To disable this behavior, the option "Optional JWT Authentication" can be disabled. If the request does not contain a JWT, requests are answered strictly with HTTP status code 403.
Every access to an authenticated resource (e.g. https://mysearch.com/api/v2/search) must contain a valid JWT token. Otherwise the error code HTTP 403 is returned. The following criteria must be met:
If one of these criteria is not met, there is no message in the log with default settings.
Enable “Full Logging" (optionally only on the log region com.mindbreeze.enterprisesearch.webapp.jwt). This logs detailed messages about why the JWT token is not valid.
Note: (online) tools such as https://jwt.io/ are suitable for the analysis of JWT tokens (Mind data protection).