Skip to main content

About JSON web tokens - JWT

👉 Drag me

If you enable SSO but then can't log in using SSO, you can use the local login to regain access. This is only available to users with the Tenant admin user role. See our knowledge base article, Rescue URL for tenant administrators.

If your organization has many users, you might run more than one server. In this case, you can use JSON Web Tokens (JWT) to authorize users across servers so they do not need to sign in multiple times.

You can configure JWT in Applaud by adding either:

  • A shared secret
  • A public key certificate

You also need to provide the URL where users sign in for authentication.

Shared secret

A shared secret is a string exchanged between your Identity Provider (IdP) and Applaud. It is used to validate the request and verify the user.

  • Obtain the shared secret from your IdP.
  • Enter the shared secret in your Applaud tenant settings.

Public key certificate

A public key certificate validates requests using asymmetric encryption.

  • The IdP encrypts requests using a private key and a specific algorithm.
  • The IdP provides you with the corresponding public key certificate and the same algorithm.
  • Upload this public key certificate to your Applaud tenant.
  • Applaud uses the certificate to verify requests from your IdP and validate your users.

Troubleshooting

The following errors can occur if your JWT configuration is not correct:

Invalid signature

  • Cause: The token signature does not match the configured shared secret or certificate.
  • Fix: Check that Applaud uses the same shared secret or certificate as your IdP.

Expired token

  • Cause: The token lifetime (exp claim) has passed.
  • Fix: Update your IdP to issue tokens with a valid expiration time. Refresh the token as needed.

Token not yet valid

  • Cause: The token’s start time (nbf or iat claim) is in the future.
  • Fix: Verify the server time on both Applaud and your IdP. Adjust if there is a clock skew.

Unsupported algorithm

  • Cause: The token uses an encryption or signing algorithm not supported by Applaud.
  • Fix: Configure your IdP to use a supported algorithm, such as HS256 (shared secret) or RS256 (certificate).

Incorrect audience (aud) or issuer (iss)

  • Cause: The aud or iss claims in the token do not match the values configured in Applaud.
  • Fix: Confirm that the token includes the correct audience and issuer identifiers, and update settings if needed.

Task you can perform here:

Reference:

Was this article helpful?

Help us improve our documentation

0 out of 0 found this helpful