Public client authentication
Last updated
Last updated
Public clients (e.g. web or native applications) receive Monterosa Access Token in exchange for proof of user identity. That form of the token is referred to as a "user token" and only provides access to data related to a specific user.
Monterosa does not authenticate public clients directly. Instead, it adopts an authentication the user received from the Identity Provider (IdP) integrated with your application.
To make this process secure, once the user is logged in, your client application should obtain proof of user identity and send it to the Audience API /api/auth/token
endpoint, which will validate it and, in case the validation is successful, will issue the Monterosa Access Token scoped to the logged-in user.
Proof of user identity will be different depending on the Identity Provider (IdP) your client application uses. It usually comes in the form of an access token (JWT or opaque) issued by your IdP after the user logs in.
Audience API handles a variety of formats for the proof of identity by deploying different implementations of the validation logic to different Spaces.
Monterosa Access Token is a JWT carrying data in the form of claims.
sub
(Subject) claim contains an ID of the user issued by Monterosa. This will not be the same as the user ID issued by your IdP!
iat
(Issued At) claim contains the UNIX timestamp of the time when the token has been issued.
exp
(Expiration Time) claim contains the UNIX timestamp of the time on or after which the token will not be accepted. User tokens are usually valid for as long as the proof of user identity used to obtain them was valid for.
iss
(Issuer) claim will be set to the URL of the Space Domain, without a trailing slash.
aud
(Audience) claim is an array of strings, each identifying an intended recipient of the token.
Example of the valid token body: