The authentication token contains the ID of the application to which a client system is requesting access. The application contains two attributes: application ID and application secret, the latter is cryptographic nonce used to sign the token, thus ensuring the authenticity of the caller and therefore, it must be shared between client and server. The authentication endpoint has a mechanism to verify the signature and eventually proceed to grant access to the application, if the client request is indeed allowed.
The client will create the authentication token by indicating the application ID as a claim and sign it using the application secret. The authentication token must have the following claims, which are registered and conform to the JWT standard:
Date and time when the token expires and is no longer valid for processing. This is Unix epoch time in seconds.
The longest time-span honored by the service is 30 minutes from the value specified in the iat claim. Specifying a longer time-span will result in an HTTP 400 (Bad Request) response from the server.
Time when the token was issued, measured by Unix epoch time in seconds.
Represents the principal issuing the token, which is http://cylance.com.
Unique ID for the token, which can be used to prevent reply attacks.
Principal subject to the claim, which this would hold our application ID.
Tenant ID (available on the Integrations page in the console).
Authentication token - adding required token claims
DateTime now = DateTime.UtcNow; long unixTimestamp = now.ToUnixTimestamp(); token.Claims.Add("iss", "http://cylance.com"); token.Claims.Add("iat", now.ToUnixTimestamp();); token.Claims.Add("exp", now.AddMinutes(1).ToUnixTimestamp()); token.Claims.Add("sub", "k45f6798092hjdhs836h"); token.Claims.Add("jti", "k45f6798092hjdhs836h+d82c7976-ef46-47b6-80ce-4dda3c91bba3"); token.Claims.Add("tid", "f00e9987-ee61-57b7-80cf-5eeb3d02ccb4”); token.claims.Add(“scp”, “policy:create, policy:list, policy:read, policy:update”)