If you already use a JWT or OpenID-based authentication mechanism (e.g. using Auth0, AWS Cognito, or Firebase), you can use your existing User Tokens with Xkit (or generate new tokens just for use with Xkit).
To do so, you'll need a few pieces of information about your tokens:
- The contents of the
- The contents of the
aud(audience) claim (optional)
- The claim that uniquely identifies your user (usually the
- A claim with a friendlier name for your user (e.g. an email) (optional)
- The claim that identifies the group your user belongs to (optional)
- The JSON Web Key Set (JWKS) URL used to sign the JWT.
To set up your tokens for use with Xkit, go to the Settings page, and scroll down to the "User Tokens" section. Click on "Add Custom Issuer" under the Custom Issuers section, and provide the information requested. Click "Save" and your custom issuer will be active, allowing users to log into Xkit with your tokens.
In order to use your token to provision and authenticate your user, we need to know which one of the claims on the token is that user's unique identifier. For many tokens this is the
sub (subject) claim, but some tokens contain custom claims like
It's important to note that the contents of this claim will serve as the user's
external_id elsewhere in the Xkit service. So if for any reason it is in a different format, that's the format you'll need to use when you are communicating with Xkit about that user.
If you are using the User Groups feature to share connections between your users, we need to know which group this user is a part of. This will likely be a custom claim on your token.
The contents of this field will be used in the Get Group Connection endpoint to retrieve tokens for this group.
Currently the only way to provide keys that serve as signers for your Custom Issuer is as a JWKS URL as defined in RFC 7517. If you have keys in another format that you would like to use, please Contact Support.
Note that Xkit will still issue its own tokens to users after they are authenticated, so there is no guarantee that the token in use by an Xkit library will be a token issued by your Custom Issuer.
Updated 5 months ago