How do I get a JWT token?

Javascript Web Tokens (JWTs)

A token is basically a passport, it has information about the user, like the name, email, certificate origin (AWS, Google, etc), it has an expiration date, etc. This "passport" in the form of a long encoded token is the way we communicate with Hasura and the AWS API Gateway.

Hasura needs the token to know the roles of the user, and makes sure this token is valid by checking with AWS directly. The case is the same with AWS API Gateway, but the only difference is that we make the validation ourselves in the API.

To pass this token, we use the standard HTTP header Authorization , much like this:

Authorization: Bearer <TOKEN STRING HERE>

Tokens are currently programed to expire after one hour of use.

Not all Tokens are Created Equal

There are two types of tokens, AWS Cognito tokens and Single Sign-On. With these two types of tokens, there are two different environments: 1) Local/staging and 2) Production.

The main difference between the cognito token and the Single Sign-On is in the contents of the token, the SSO token is longer and has more information about Active Directory.

1) Local/Staging. The tokens for local/staging only work for local or staging use. This is true for the local/staging hasura, or local/staging API (flask app).

2) Production. The tokens for production, only work for the production hasura instance or the API.

Where can I find it?

1. Log in to Moped (if you need access to local/staging) launch the local instance or log in to the staging moped instance.

2. Once logged in, in Chrome find the developer console:

The token looks like this:

eyJraWQiOiJqVXltd2JzdFJFa1MwK2lEcjJoelk2amRHZFV5blA5TDFLeFVwa0Z4UXpBPSIsImFsZyI6IlJTMjU2In0.eyJhdF9oYXNoIjoiTlJpQnp1dDJ5SmFyN29KcFQxT20yQSIsInN1YiI6ImNlYjg1YTk5LTE3N2UtNDFjZS05MjVlLTZhZGIxM2E2M2Q5MCIsImNvZ25pdG86Z3JvdXBzIjpbInVzLWVhc3QtMV9VMmR6a3hmVHZfQXp1cmVBRCJdLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImh0dHBzOlwvXC9oYXN1cmEuaW9cL2p3dFwvY2xhaW1zIjoie1wieC1oYXN1cmEtdXNlci1pZFwiOiBcIjY0NmQxYjFmLTViMjctNDdjYi1hNGM5LTU4MzgwNjExMjQ1ZVwiLCBcIngtaGFzdXJhLWRlZmF1bHQtcm9sZVwiOiBcIm1vcGVkLXZpZXdlclwiLCBcIngtaGFzdXJhLWFsbG93ZWQtcm9sZXNcIjogW1wibW9wZWQtYWRtaW5cIl19IiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lYXN0LTFfVTJkemt4ZlR2IiwiY29nbml0bzp1c2VybmFtZSI6ImF6dXJlYWRfc2VyZ2lvLmdhcmNpYUBhdXN0aW50ZXhhcy5nb3YiLCJub25jZSI6InM4UzhFZnFwRkpvUk1ralZLa3NfR2E2QzE3RWFYMXlhTWFLWHU5MXJ5eU1nV013RzJEZW9BSEc0bklPcTVWUWtXZXVjX29nblBiYW9OUkRFc21ZM0tBbnlJLU9ya05qbG43cTdhUU9FTWRKbkpPRUxkZF9VTEIxd0hFSlNZTWwxS1FCdTRKWEc2bkN3VWlZVFdOQmhLV1FzTTNHQWJtb3ZKMXlmekQ3UGdRWSIsImF1ZCI6IjN1OW45MzczZTM3djYwM3RicDI1Z3M1ZmRjIiwiaWRlbnRpdGllcyI6W3sidXNlcklkIjoiU2VyZ2lvLkdhcmNpYUBhdXN0aW50ZXhhcy5nb3YiLCJwcm92aWRlck5hbWUiOiJBenVyZUFEIiwicHJvdmlkZXJUeXBlIjoiU0FNTCIsImlzc3VlciI6Imh0dHBzOlwvXC9zdHMud2luZG93cy5uZXRcLzVjNWUxOWY2LWE2YWItNGI0NS1iMWQwLWJlNDYwOGE5YTY3ZlwvIiwicHJpbWFyeSI6InRydWUiLCJkYXRlQ3JlYXRlZCI6IjE2MDUwMzI5MTI2NTAifV0sInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNjA3NTU0Nzg5LCJleHAiOjE2MDc1NTgzODksImlhdCI6MTYwNzU1NDc4OSwiZW1haWwiOiJTZXJnaW8uR2FyY2lhQGF1c3RpbnRleGFzLmdvdiJ9.j2WDK1wrFzZAdKjyOsyQxCcG43gw8D1DCy5p07h4Ay1dlgHhgNU0ERWY49UfNjk_ZCg59lafuJZ0pdu53XBkAFrb_y7ufn_-HAKCq5DsuVyPTExVQeo6sSEDrCuwZsjQfzp6OPOVG3MfQHN_K-Z7V__OWxf4o0GulMwy7mCB7luz9ySmOWlosXNsIUWZ1FlqymC9zA0meTObdrVAWqYJpfnozeu3ufc3_8Yli1Bks-c0Ggn_ZvL1wfMxCjyBvzMCnpBLd62NcOJogGBOX0rT57k9xJM9UIzV7gn3g8xV7P_Csx3WovsVgcH13YWYRoxq6K7NowY6bGjztgsSjF639Q

The decoded token looks like this, from this example, you can see this is a Single Sign-On token, given the extra identity details related to Microsoft AzureAD:

{
  "at_hash": "NRiBzut2yJar7oJpT1Om2A",
  "sub": "ceb85a99-177e-41ce-925e-6adb13a63d90",
  "cognito:groups": [
    "us-east-1_U2dzkxfTv_AzureAD"
  ],
  "email_verified": false,
  "https://hasura.io/jwt/claims": "{\"x-hasura-user-id\": \"646d1b1f-5b27-47cb-a4c9-58380611245e\", \"x-hasura-default-role\": \"moped-viewer\", \"x-hasura-allowed-roles\": [\"moped-admin\"]}",
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_U2dzkxfTv",
  "cognito:username": "azuread_sergio.garcia@austintexas.gov",
  "nonce": "s8S8EfqpFJoRMkjVKks_Ga6C17EaX1yaMaKXu91ryyMgWMwG2DeoAHG4nIOq5VQkWeuc_ognPbaoNRDEsmY3KAnyI-OrkNjln7q7aQOEMdJnJOELdd_ULB1wHEJSYMl1KQBu4JXG6nCwUiYTWNBhKWQsM3GAbmovJ1yfzD7PgQY",
  "aud": "3u9n9373e37v603tbp25gs5fdc",
  "identities": [
    {
      "userId": "Sergio.Garcia@austintexas.gov",
      "providerName": "AzureAD",
      "providerType": "SAML",
      "issuer": "https://sts.windows.net/5c5e19f6-a6ab-4b45-b1d0-be4608a9a67f/",
      "primary": "true",
      "dateCreated": "1605032912650"
    }
  ],
  "token_use": "id",
  "auth_time": 1607554789,
  "exp": 1607558389,
  "iat": 1607554789,
  "email": "Sergio.Garcia@austintexas.gov"
}