A JSON Web Token (JWT) is a standard way of communicating data between two parties. UCSD uses the JWT specification for communicating identity information between our API Managers and back end services.
...
4) Check the expiration claim to make sure that the JWT is still valid. (Note: the expiration claim is a unix timestamp in seconds, not miliseconds)
Claims
Most claims are in the format of a URL for guaranteed uniqueness. The URL format does not imply that there is a resource located at that URL.
...
WSO2 populates the JWT with a number of application specific claims.
Display Name | Description | Claim Uri | Mapped Attribute (s) | UCSD Mapping |
|---|---|---|---|---|
| Employee ID | Employee ID | http://wso2.org/claims/eid | eid | urn:mace:ucsd.edu:sso:pps:eid |
| Student ID | Student ID (PID) | http://wso2.org/claims/pid | pid | urn:mace:ucsd.edu:sso:isis:pid |
| RACFID | racf/mainframe id | http://wso2.org/claims/racfid | racfid | urn:mace:ucsd.edu:sso:auth:racfid |
| AD Username | The user's Active Directory user name | http://wso2.org/claims/adusername | adusername | urn:mace:ucsd.edu:sso:ad:username |
| Network User ID | kerberos/network username | http://wso2.org/claims/networkuserid | networkuserid | urn:mace:ucsd.edu:sso:networkuserid |
| Department Codes | list of comma separated department codes in payroll | http://wso2.org/claims/departmentcodes | departmentcodes | urn:mace:ucsd.edu:sso:pps:departmentcodes |
| System ID | A persistent unique identifier for this user. This a GUID and is only relevant to the SOA set of services. Unlike all other identifiers, these will never be recycled and should be used as the user's primary ID in the remote system. | http://wso2.org/claims/systemid | systemid | urn:mace:ucsd.edu:sso:people:affiliateid |
Following are claims used by BYU and are provide for reference only
Claim | Value |
|---|---|
| http://wso2.org/claims/subscriber | The netid of the user that subscribed to this API. |
| http://wso2.org/claims/applicationid | Internal WSO2 application identifier. |
| http://wso2.org/claims/applicationname | The name of this application. |
| http://wso2.org/claims/applicationtier | The throttling tier assigned to this application. |
| http://wso2.org/claims/apicontext | The context used in this API call (may or may not include version). |
| http://wso2.org/claims/version | The version of this API. |
| http://wso2.org/claims/tier | The throttling tier assigned to this user. |
| http://wso2.org/claims/keytype | The type of keys used in this call. Possible values are "PRODUCTION" or "SANDBOX". |
| http://wso2.org/claims/usertype | The type of OAuth 2.0 grant used for authorization. "APPLICATION_USER" for grant types that include a Resource Owner (authorization_code, implicit, resource owner password). "APPLICATION" for those that only have a Client (client credentials). |
| http://wso2.org/claims/enduser | The netid of the resource owner in the form of "netid@carbon.super" |
| http://wso2.org/claims/enduserTennantId | The WSO2 tenant id. (This value can be ignored since we don't have multiple tenants) |
| http://wso2.org/claims/client_id | The OAuth 2.0 client id used for authorization. (This value is WSO2 claim but was added by BYU) |
...
All other values in the table should be filled in with the appropriate information.
Relationship records should only be added for applications under the control of a BYU entity. There is no need to add them for individuals publishing their own applications. Currently there is no defined process for approving and adding these relationship records.
...