API Access and Identity Tokens
All tokens issued by the Authorization Server should follow the JSON Web Token (JWT) standard. Tokens must be signed with the SOTI Cloud Link Agent Authorization Server’s signing certificate.
You can configure the signing certificate using PowerShell. Learn more at PowerShell Commands.
The signing certificate must have:
- A signature (SHA-256)
- An RSA key with the length 2048
- A validity period of 2 years.
- Extended Key Usage XCN_OID_KP_DOCUMENT_SIGNING(1.3.6.1.4.1.311.10.3.12)
- The recommended API: JwtSecurityTokenHandler class.
Audience
Each API method must validate the audience in the JWT to ensure that the client is authorized by the Authorization Server to call the particular API.
Validation
Each API method must have full JWT validation as described in JSON Web Token Best Current Practices.
JWT Validity Period
You can edit token validity periods with PowerShell. The following default settings are recommended:
- Authenticated user identity token: 5 minutes
- API access token: up to 30 minutes
See the OWASP Cheat Sheet Series: Session Management Cheat Sheet for more information.