API Access and Identity Tokens

All tokens issued by the Authorization Server should follow the JSON Web Token (JWT) standard. Tokens must be signed with the SOTI Cloud Link Agent Authorization Server’s signing certificate.

You can configure the signing certificate using PowerShell. Learn more at PowerShell Commands.

The signing certificate must have:

  • A signature (SHA-256)
  • An RSA key with the length 2048
  • A validity period of 2 years.
  • Extended Key Usage XCN_OID_KP_DOCUMENT_SIGNING(1.3.6.1.4.1.311.10.3.12)
  • The recommended API: JwtSecurityTokenHandler class.

Audience

Each API method must validate the audience in the JWT to ensure that the client is authorized by the Authorization Server to call the particular API.

Validation

Each API method must have full JWT validation as described in JSON Web Token Best Current Practices.

JWT Validity Period

You can edit token validity periods with PowerShell. The following default settings are recommended:

  • Authenticated user identity token: 5 minutes
  • API access token: up to 30 minutes

See the OWASP Cheat Sheet Series: Session Management Cheat Sheet for more information.