Skip to main content

JWT Provider

The JWT Provider feature allows you to configure an external application as an Identity Provider (IDP) using JSON Web Tokens (JWT). This is especially useful if your preferred login source is unavailable in LoginRadius’ default social login network list or if you are integrating a proprietary app that supports JWT.

LoginRadius acts as the Service Provider (SP), and your application (supporting JWT) acts as the Identity Provider (IDP). This integration enables you to use:

  • Token-Based Authentication: Supports login flows using JWTs issued by external identity systems.
  • User Data Mapping: Map values from the JWT to LoginRadius user profile fields.

Use Cases

  • Support is available for proprietary or third-party identity providers that issue JWT tokens.

  • Enable login for apps unavailable in the default LoginRadius social login provider list.

  • Allow customers from an external JWT-based system to access your LoginRadius-enabled application.

How It Works

The JWT login flow allows users to authenticate through your JWT-compatible Identity Provider. Once authenticated, a token is shared with LoginRadius for verification, enabling seamless access.

  • The user clicks the JWT login icon on the LoginRadius-enabled application.

  • They are redirected to your JWT IDP's login page (e.g., https://www.jwtlogin.com/login).

  • If already authenticated, the user skips login. Otherwise, they enter their credentials.

  • After successful authentication, the IDP redirects the user to LoginRadius with a JWT token:

https://{appname}.hub.loginradius.com/access/jwt?jwttoken=<JWT_TOKEN>

  • LoginRadius validates the token:

    • If valid and the user exists, the user is logged in and redirected with an access token.

    • If it is not valid or the user doesn't exist, they are redirected to:

https://{appname}.hub.loginradius.com/access/jwt/error

Note: LoginRadius supports query string and POST method for JWT token delivery.

The following image displays the functional flowchart for the JWT login:

JWT Login UI Behavior

The JWT login UI behaves like a standard social login. When "Include In Social Schema" is enabled during JWT configuration, a login icon appears alongside other social providers on the LoginRadius V2.js login interface.

Configuration

Step 1: Navigate to Configuration

  1. Go to Authentication > Custom IDPs
  2. Click on Add Custom IDP.
  3. Select Custom JWT Provider.

This will open the JWT configuration form. Here you need to follow the steps below to fill in the details.


Step 2. Configure Basic Settings

Provider Name: A unique identifier for the custom IDP that appears on LoginRadius IDX and V2.js forms. Must follow these rules:

  • Alphanumeric
  • Auto-lower cased.
  • Must start with a letter.
  • Hyphens (-) and underscores (_) are allowed.
  • No Spaces.
  • Length: 1–60 characters.

Select Signing Algorithm Choose the algorithm your IDP uses for signing JWT:

  • HS256, HS384, HS512
  • RS256, RS384, RS512
  • ES256, ES384, ES512

Provide Key or JWKS Endpoint

  • For HS algorithms: provide a Key.
  • For RS/ES algorithms: provide a Key or JWKS Endpoint.
  • If both are provided, the JWKS Endpoint is prioritized.

Clock Skew (Optional) Adjust time drift to account for server/client time differences.

Expiration Time Difference (Optional) Extend or reduce the expiration window for JWT token validation.

Token Query Parameter Name (Optional) Customize the query parameter name that carries the JWT token.

Login URL (Optional) Specify the URL where users are redirected for JWT-based login.

Enable Required Parameters

Configure additional validation for incoming JWTs:

  • Use Authorization Header
  • Subject (sub) is Mandatory
  • Not Before Field is Mandatory
  • Expiration Time Field is Mandatory
  • Enable AutoLookup

Issuer (Optional) Validate the iss claim:

  • Expected Value: Define the required issuer
  • Match Value: Enforces exact match
  • Is Mandatory: Requires the presence of iss

Audience (Optional)

Validate the aud claim:

  • Expected Value: Define the target audience
  • Match Value: Enforces exact match
  • Is Mandatory: Requires presence of aud

Data Mapping

LoginRadius FieldJWT Field
IDid
  • ID mapping is required.
  • Enable Update Email Profile to sync values from the JWT payload.

Include in Social Schema Enable this option to display the JWT provider in the LoginRadius V2.js login form or IDX interface.


Once your JWT Provider is configured, consider reviewing these resources to enhance your integration and customization further: