Skip to main content

Authenticating Embedded Users

Authenticating users

One big advantage of embedding the Prismatic marketplace or integration designer is that users don't need to be assigned an additional set of credentials to remember. They can log in to your application, and you can provide them with an authentication token that allows them to deploy Prismatic integrations. You do this by generating a JSON Web Token (JWT) that is signed by a unique private key that you get from Prismatic. The JWT contains information about the user from your system. When Prismatic is presented a signed JWT, the JWT signature is verified and the user is granted a customer role of Marketplace, which allows them to deploy integrations for their specific customer in Prismatic.

JWT signing keys

Before you can generate a JWT, you will need a valid signing key from Prismatic. Within Prismatic click on your organization name on the bottom of the left-hand sidebar, and then open the Embedded tab. Click the + Add signing Key button. Note: You must be an owner or admin to create a signing key.

You will be presented with a private signing key. Store this key somewhere safe - it's the key you'll use to validate that users are authenticated within your application.

Get signing key in Prismatic app
Private keys are not stored in Prismatic

Prismatic does not store the private signing key that is generated, and only saves the last 8 characters so you can easily match up a private key you have with one in our system. Instead, we store the corresponding public key to verify signatures of JWTs you send. Save the private key that you generate somewhere safe. If it's ever compromised, or you lose it, you can deactivate old keys and generate a new one.

Importing your own private signing key

You can also import your own private signing key for embedded. The OpenSSL CLI tool is most commonly used for generating public/private keys pairs yourself:

# Generate a private key with 4096 bit encryption
openssl genrsa -out my-private-key.pem 4096

# Generate the corresponding public key
openssl rsa -in my-private-key.pem -pubout > my-public-key.pub

This will generate two files - a private key called my-private-key.pem and a public key called my-public-key.pub. Your public key will look like this:

-----BEGIN PUBLIC KEY-----
EXAMPLE
-----END PUBLIC KEY-----

Import the public key using the prism CLI tool:

prism organization:signing-keys:import -p my-public-key.pub

Create and sign a JWT

Now that you have a signing key, you can create and sign a JSON web token (JWT). Your backend API (not your frontend) should generate a JWT for your users, and your frontend client should request a signed JWT from your backend API.

Do your JWT generation on the backend

Generate the JWT tokens on the backend. Baking JWT generation (including the signing key) into your frontend presents a security problem - someone with the signing key could sign their own JWT and pretend to be anyone.

Most programming languages that APIs are written in have a JWT library for generating tokens - see jwt.io.

The JWT that you generate for a user should have the following properties:

  • The header should indicate that it's HMAC with SHA-256 encrypted, and should read: 
    {
      "alg": "RS256",
      "typ": "JWT"
    }
  • The private signing key you generated.
  • A payload with a few fields:
    • A unique user ID sub. This should generally be a UUID.
    • An optional external_id sets the external ID of the user in Prismatic. This generally matches the sub and represents the ID of the user in your system.
    • The user's name (optional)
    • Your organization ID, found on the Embedded tab where you generate signing certificates
    • The external ID of the customer the user belongs to
    • A signing time (current time) iat. This must be a number.
    • A role is only necessary for user level configuration (ULC). A role of "admin" gives the user the ability to deploy ULC instances. A role of "user" gives the user the ability to supply user configuration to an already deployed ULC instance. This value defaults to "admin".
    • An expiration time exp. This must be a number.
      Example JWT Payload
      {
        "sub": "2E52B7CB-071B-4EA2-8E9D-F64910EBDBB1",
        "external_id": "2E52B7CB-071B-4EA2-8E9D-F64910EBDBB1",
        "name": "Phil Embedmonson",
        "organization": "T3JnYW5pemF0aW9uOmU5ZGVhZDU5LWU3YzktNDNkMi1hNjhhLWFhMjcyMzEyMTAxNw==",
        "customer": "abc-123",
        "role": "admin",
        "iat": 1631676917,
        "exp": 1631680517
      }
Use unique identifiers as JWT subjects

The sub (subject) within the JWT identifies the user who is logged in to your system. The sub value can be any unique identifier - a UUID, email address, etc.

A customer user with that identifier will be created in Prismatic if it doesn't already exist, and will be granted permissions to configure and deploy instances to the customer they're assigned to (you assign the user to a customer in the examples below).

Here are a couple of code snippets for JavaScript and Python that would create a valid JWT to authenticate a user in Prismatic:

import jsonwebtoken from "jsonwebtoken";

/*
 This is for illustrative purposes only;
 Obviously don't hard-code a signing key in your code.
*/
const signingKey = `-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDP3+OrT0IXqCu4
EXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEE
c5R7QVzxgmGRXjPZGPf5huA1
-----END PRIVATE KEY-----`;

const currentTime = Math.floor(Date.now() / 1000);

const token = jsonwebtoken.sign(
  {
    sub: "2E52B7CB-071B-4EA2-8E9D-F64910EBDBB1", // Some unique identifier for the user
    external_id: "2E52B7CB-071B-4EA2-8E9D-F64910EBDBB1", // Generally matches sub
    name: "Phil Embedmonson", // Optional
    organization:
      "T3JnYW5pemF0aW9uOmU5ZGVhZDU5LWU3YzktNDNkMi1hNjhhLWFhMjcyMzEyMTAxNw==",
    customer: "abc-123", // This is an external ID of a customer
    iat: currentTime,
    exp: currentTime + 60 * 60, // 1 hour from now
  },
  signingKey, // Store this somewhere safe
  { algorithm: "RS256" },
);

An example NextJS implementation of JWT generation is available in GitHub.

Use the JWT to authenticate the user

Now that a user in your application has a signed JWT from the backend, you can authenticate them with the Prismatic library using the prismatic.authenticate() function in your frontend application:

// Some function that fetches the JWT from your API:
const token = getJwtToken();

try {
  await prismatic.authenticate({ token });
} catch (error) {
  console.error(`Authentication failed with error ${error}`);
}

If your customer or organization ID in your JWT are incorrect, if your JWT is not signed correctly, or if the JWT is expired, prismatic.authenticate() will throw an error.

For an example React hook that wraps the prismatic.authenticate() function, see the GitHub.

Refreshing an embedded JWT

If a customer user's JWT expires, the customer user will see a 404 in their embedded iframe. To reauthenticate a user prior to expiration, ensure that your frontend app fetches a new token for your user and then run prismatic.authenticate({ token }) with the new token. Existing iframes and the embedded client will be updated to use the new token.