FAQ: Support for JSON Web Tokens (JWT) in Forum Sentry

Forum Sentry supports JSON web tokens (JWT) in the context of the OAuth 2.0 / OpenID Connect standards.  For example, many customers utilize Sentry as an OAuth 2.0 client and/or server, which both utilize JWT.

Sentry does not have any general tasks to create, accept, generate or validate JWT outside of the standards based OAuth 2.0 / OpenID Connect SSO schemes.

So in other words, if your use case requires generating custom JWT with signatures and encryption, that may not be supported.  

That said, Forum Systems recommends following a standard approach when using JWT for greater interoperability.

For example, if you are looking to secure a REST API using JWT, we recommend OAuth 2.0 / OpenID connect, which is fully supported in Sentry. This is a very common use case.

Lastly, note that Sentry can also break open and inspect general JWT ID tokens.  This is not the same as verifying the tokens, but it can parse them.  For example, JWT ID tokens are 3 parts all separated by a . character. The first segment is a header, the second is the payload (where the user info is), and the third is the signature. 

These tokens are Base64 encoded and passed as Bearer tokens in the HTTP Authorization header.  Using a Sentry task list you can break these parts up and get to the user info in the payload.  What you can't do currently is verify the signature piece (unless using the OAuth 2.0 features).

See: https://jwt.io/ for more info on how JWT is constructed.

When using OAuth 2.0 / OpenID connect, Sentry validates the signatures and automatically parses the payload data. This includes mapping the user info to Sentry user attributes, which can be used for authorization or whatever task processing you want (e.g. adding them to headers and passing them to the back-end).


For more information or to discuss your use case details, please contact Forum Systems Support.


Article is closed for comments.