A JWT (Json Web Token) has to be generated to be added to the Token URL which would be of the format :
${redirect_uri}?state=${state}&id_token=${jwt_token}`
Problem Statement
How to generate the token?
Resolution Path
A JWT typically has three parts in form xxx.yyy.zzz where :
- xxx = Header
The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, in case of Freshworks, it is RS256. Here's a sample
{ "alg": "RS256", "typ": "JWT"} Then, this JSON is Base64Url encoded to form the first part of the JWT.
- yyy= Payload
The payload contains the data related to the identity along with secure parameters exchanged in JSON format. For example,
{ "sub": "1234567890", "email": "messi@awesomecompany.com", "nonce": "123422" } The payload is then Base64Url encoded to form the second part of the JSON Web Token.
- zzz=To create the signature part you have to take the encoded header, the encoded payload, RSA private key, and sign that. You can generate the RSA Key using the following script
#generate RSA key ssh-keygen -t rsa -b 1024 -m PEM -f jwtRS256.key # use empty passphrase openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
Putting it all together, a sample JWT token looks like this
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM
These are the parameters that may be passed in the payload.
| Param Name | Value Type & Example | Required / Optional | Description |
| sub | String "Messi10" | Required | The ID of the agent in the external system |
| String "messi@awesomecompany.com" | Required | The email address of the user who is to be logged in | |
| iat | Number 1545894207 | Required | The value must be the number of seconds since the UNIX epoch. A maximum clock drift of 300 seconds is permitted. |
| nonce | String "23456781234" | Required | nonce passed by Freshworks as part of the login request to mitigate the replay attacks. It will be a random alpha-numeric string. The nonce is valid only for 10 mins from the time it is issued by FreshID. |
| given_name | String "Leo" | Required | First name or given name of the user |
| family_name | String "Messi" | Required | Last name or Family name of the user |
| phone_number | String "1010101010" | Optional | Phone number of the user |
| picture | String "https://bit.ly/Lionel_Messi.jpg" | Optional | Profile picture URL of the user. |
