Knowledge Base

Higher Logic JWT Control

  • Updated

Higher Logic has created a JSON Web Token (JWT) control (Common:Jwt:LinkOrButton) that allows a URL to be called with information securely passed in a token. Higher Logic uses a signed token that can verify the integrity of the claims that are contained within it. The JWT and the contained data:

  • are not encrypted,
  • are base64 encoded, and
  • are signed using HmacSha256.

This can be used in a variety of ways to pass information about the logged-in user from Higher Logic to a third-party application. The token that is appended asserts the following claims:

  • ContactKey - the ID of the user in Higher Logic
  • LegacyContactKey - the ID of the user in the integrated CRM/AMS database
  • TenantCode - the customer's tenant ID
  • FirstName - the first name of the logged-in user
  • LastName - the last name of the logged-in user
  • EmailAddress - the email address of the logged-in user
  • CommunityKey - the ID of the related community (included only if the logged-in user is coming from a community within a tenant)

Other static claims can be passed with the parameters of the control.

IMPORTANT: Starting in 2020, the Jwt:LinkOrButton control is only available to Higher Logic staff. If you want to use this functionality, create a case with Higher Logic Support with:

  • the name of the page (or pagecode) this control should be added to,
  • the control's location on that page, and
  • what the control's parameters should be.

Available parameters

  • RedirectUrl (required) - The destination URL of the third-party application.

NOTE: The equals sign ( = ) cannot be used in the URL. If you have to pass values, use the ExtendedClaimsJson parameter.

  • ProductId - A site admin can add this directly to the control without the query string parameter.
  • IncludeProductId (default = FALSE) - When set to TRUE and the ProductId is in the query string, the value will be used either on claims or as part of the RedirectUrl (UseProductIdInUrlPath=TRUE).
  • UseProductIdInUrlPath (default = FALSE) - When set to TRUE and "IncludeProductId" is set to TRUE and the ProductId is in the query string, the value will be added as part of the RedirectUrl.
  • AutoRedirect (default = FALSE) - When set to TRUE, automatically redirects to the page with the token. To use this control within a community to pass user information to a party, create a new hidden page in the Higher Logic CMS.
  • SecretName (required) - This value is stored in the Higher Logic Thrive Community (Thrive Community) site's configuration table as a parameter with a prefix of "jwt_". The parameter is a secret (with the HMAC algorithm) used to sign the JWT.

NOTE: Use our JWT key generator to generate a secret key. The name should be associated with the vendor company or application.

  • ExpireMinutes (default = 20) - The number of minutes for which the JWT is valid.
  • ExtendedClaimsJson - A string of additional static values that can be passed as claims in the JWT. For example "[{'Name':'gid','Value':'200'},{'Name':'rid','Value':'524'}]"
  • IsButton (default = FALSE) - TRUE if the control is to be a button; FALSE if it is a link.
  • Text - The text to be displayed in the link or on the button.
  • ButtonBootstrapClass (default = "btn-default") - Text field to define the CSS class of the button to be displayed.
  • Target (default = "_self") - The target attribute of the link or button (e.g., "_blank", "_top")

Example

Let's take a look at the Common:Jwt:LinkOrButton control with the following parameters:

  • RedirectUrl=https://hlqatestb.connectedcommunity.org/ross-test
  • SecretName="jwt_marketingautomation"
  • Text="Local Test"
  • IncludeProductId="True"
  • UseProductIdInUrlPath="True"
  • AutoRedirect="False"
  • ProductId="consume-jwt"
  • ExtendedClaimsJson="[{'Name':'Ross','Value':'Boss'}]"

Using the parameters above would render on the page with the text “Local Test” as a hyperlink that points to:

https://hlqatestb.connectedcommunity.org/ross-test/consume-jwt?authtoken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJDb250YWN0S2V5IjoiN2YyZGU1NzEtOTJlOC00OWI
wLWJhMTItMjc0MTNiZjk5Yzk1IiwiTGVnYWN5Q29udGFjdEtleSI6IkhMMCIsIkZpcnN0TmFtZSI6IlN1cGVyTWF
uIiwiTGFzdE5hbWUiOiJXYXNIZXJlIiwiRW1haWxBZGRyZXNzIjoic3lzdGVtQGhpZ2hlcmxvZ2ljLm9yZyIsIlRlbm
FudENvZGUiOiJCIiwiUm9zcyI6IkJvc3MiLCJQcm9kdWN0SWQiOiJjb25zdW1lLWp3dCIsIm5iZiI6MTUyMDk2
MTAzMSwiZXhwIjoxNTIwOTYyMjMxLCJpYXQiOjE1MjA5NjEwMzF9.urt_x2LqwCkIMhSTyvU2gs7i1jcSwW1z8VllLVnDqMI

Note that the ProductID, consume-jwt, is included in the path of the URL, per the IncludeProductId and UseProductIdInUrlPath parameters. The payload data contains:

{
"ContactKey": "7f2de571-92e8-49b0-ba12-27413bf99c95",
"LegacyContactKey": "HL0",
"FirstName": "SuperMan",
"LastName": "WasHere",
"EmailAddress": "system@higherlogic.org",
"TenantCode": "B",
"Ross": "Boss",
"ProductId": "consume-jwt",
"nbf": 1520961031,
"exp": 1520962231,
"iat": 1520961031
}

The extended claims for "Ross": "Boss" is also included in the JWT. This data set can be used to validate the current user and make subsequent API calls to get more information about the user.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Can’t find what you’re looking for?

Create a Case Call US Support