Seamless login using JWT Token
How It Works:
- The Tenant generates a JWT token containing the user details i.e., email and/or mobile number.
- The JWT token is then passed to Mondia via an iframe:
- Mondia validates the token and extracts the user details for authentication.
Mondia supports the industry-standard JWT signing algorithms.
- Algorithm Used (HS256 or RS256)
Tenant may choose either of the below depending on their security policy:
- RS256 (RSA Public/Private Key Pair)
- Tenant signs the JWT using their private key.
- Mondia verifies it using Tenant's public key.
- HS256 (HMAC + Shared Secret)
- A shared secret key is used between Tenant and Mondia.
- A shared secret key is used between Tenant and Mondia.
What Tenant Must Provide to Mondia
Depending on the chosen algorithm, Tenant must provide:
- If Tenant uses RS256, tenant must share one of the following with Mondia:
- Public Key (PEM Format)
Example:\-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuE3... -----END PUBLIC KEY----- - JWKS URL (If Tenant prefers automated key rotation)
Example: https://tenant.com/.well-known/jwks.json
- Public Key (PEM Format)
- If Tenant uses HS256, Tenant must share:
- Base64-encoded shared secret (min 32 chars)
Example of JWT Token (Encoded) from Tenant: - The Tenant is expected to pass the token to Mondia within the iframe (The token was generated and signed by Tenant):
- Base64-encoded shared secret (min 32 chars)
iFrame sample with encoded Token
<iframe src="https://mondia-portal.com?token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImN1c3RvbWVyQHZpc2EuY29tIiwibW9iaWxlIjoiKzQ5MTIzNDU2Nzg5IiwiaXNzIjoiVklTQSIsImF1ZCI6Ik1vbmRpYVBvcnRhbCIsImV4cCI6MTc0ODEyMDgwMH0.pD1b..." />
Decoded Token
Header
{
"alg": "RS256",
"typ": "JWT"
}
Payload
{
"mobile": "+XXXXXXXX", // if available
"userId": "12345678", // the user Id inside the partner system
"email": "[[email protected]](mailto:[email protected])", // if available
"iss": "partner",
"aud": "MondiaPortal",
"exp": 1748120800
}