π« JWT Authentication Flow
Token-based authentication and multi-tenant claims architecture
Executive Summary
AIUsagePlatform uses JWT (JSON Web Token) bearer authentication with RS256 (RSA + SHA256) signing. Tokens carry identity claims including UserId, OrganizationId, Role, and Permissions for distributed validation without database lookups.
β
RS256 Signing
Asymmetric keys, key rotation ready
Asymmetric keys, key rotation ready
β
Short-Lived
Access token: 15 min, Refresh: 7 days
Access token: 15 min, Refresh: 7 days
β
Tenant Context
OrganizationId embedded in claims
OrganizationId embedded in claims
β οΈ No Token Revocation
Compromised tokens valid until expiry
Compromised tokens valid until expiry
π Authentication Flow
JWT Authentication Flow
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββ βββββββββββββββββββββββββββββββ
β Client β β Identity Server β
β (Angular)β β (AuthController) β
ββββββ¬ββββββ ββββββββββββββββ¬βββββββββββββββ
β β
β POST /api/auth/login β
β { email, password } β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊβ
β β
β ββββββββββββββββββββββ β
β β Validate Password β β
β β Check User Status β β
β β Load Roles/Perms β β
β βββββββββββ¬βββββββββββ β
β β β
β βββββββββββΌβββββββββββ β
β β Generate Tokens β β
β β βββββββββββββββ β β
β β Access Token (JWT)β β
β β β’ Exp: 15 min β β
β β β’ Claims: sub, β β
β β org, role, perm β β
β β β β
β β Refresh Token β β
β β β’ Exp: 7 days β β
β β β’ Stored in DB β β
β βββββββββββ¬βββββββββββ β
β β β
β { accessToken, refreshToken, user } β β
ββββββββββββββββββββββββββββββββββββββββββ β
β β
ββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ΄ββββββββββββββ
SUBSEQUENT API CALLS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GET /api/admindashboard β
β Authorization: Bearer eyJhbGciOiJSUzI1Ni... β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊβ
β β
β ββββββββββββββββββββββ β
β β [Authorize] β β
β β Validate JWT: β β
β β β’ Signature (RS256)β β
β β β’ Expiration β β
β β β’ Issuer/Audience β β
β βββββββββββ¬βββββββββββ β
β β β
β βββββββββββΌβββββββββββ β
β β Extract Claims: β β
β β β’ sub: user-id β β
β β β’ org: org-id β β
β β β’ role: Admin β β
β β β’ perm: [...] β β
β βββββββββββ¬βββββββββββ β
β β β
β βββββββββββΌβββββββββββ β
β β MultiTenantMiddlewareβ β
β β Validate org access β β
β β Attach tenant contextβ β
β βββββββββββ¬βββββββββββ β
β β β
β { dashboard data } β β
ββββββββββββββββββββββββββββββββββββββββββ β
β β
π JWT Claims Structure
| Claim | Type | Description | Example |
|---|---|---|---|
sub | string (GUID) | Subject (User ID) | usr_12345678-... |
email | string | User email address | admin@acme.com |
org | string (GUID) | Organization ID (tenant) | org_87654321-... |
role | string | Primary role name | Admin |
role_level | integer | Role hierarchy level | 50 |
permissions | JSON array | Granted permissions | ["Users.View", "Reports.Create"] |
iss | string | Token issuer | AIUsagePlatform |
aud | string | Token audience | AIUsagePlatform.API |
exp | Unix timestamp | Expiration time | 1704067200 |
iat | Unix timestamp | Issued at time | 1704066300 |
jti | string (GUID) | Unique token ID | tok_abc123... |
π Token Security Properties
Access Token
- Lifetime: 15 minutes
- Algorithm: RS256 (RSA 2048-bit)
- Key ID: kid header for rotation
- Storage: Memory only (Angular)
Refresh Token
- Lifetime: 7 days
- Storage: HTTP-only secure cookie
- Database: Hashed in RefreshTokens table
- Rotation: New token on each use
Security Headers
-
Strict-Transport-Security -
X-Content-Type-Options: nosniff -
X-Frame-Options: DENY -
Content-Security-Policy
β Token Validation Pipeline
JWT Validation Pipeline (ASP.NET Core)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ASP.NET Core Middleware Pipeline β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. Authentication Middleware β
β βββ Extract Bearer token from Authorization header β
β βββ Parse JWT headers (alg, typ, kid) β
β βββ Fetch public key from JWKS endpoint (cached) β
β βββ Verify RS256 signature β
β βββ Build ClaimsPrincipal from JWT claims β
β β
β 2. MultiTenantIsolationMiddleware β
β βββ Extract "org" claim from Identity β
β βββ If SuperAdmin: Bypass tenant checks (special handling) β
β βββ Validate organization exists and is Active β
β βββ Check subscription status (not Expired/Suspended) β
β βββ Attach X-Tenant-* headers to response β
β β
β 3. Authorization Middleware β
β βββ [Authorize] β Check authenticated β
β βββ [Authorize(Roles="Admin")] β Check role claim β
β βββ [HasPermission] β Check permissions claim β
β β
β 4. Rate Limiting Middleware β
β βββ Identify client by UserId from claims β
β βββ Check rate limit counters (Redis) β
β βββ Reject if exceeded (429 Too Many Requests) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β οΈ Security Concerns
No Token Revocation List
Compromised tokens remain valid until expiry. Need Redis blacklist for logout/scenarios.
Refresh Token Long Lifetime
7-day refresh token increases window of compromise. Consider shorter (1-3 days) with sliding.
RS256 Asymmetric Signing
Private key on server only. Public key can be rotated without client changes. Good practice.
HTTP-Only Refresh Token
Refresh token stored in secure, HTTP-only cookie prevents XSS theft.
π‘ Recommended Enhancements
Token Revocation (Redis)
Store revoked token JTIs in Redis with TTL matching token expiry. Check on each request.
Recommended High
Device Fingerprinting
Bind tokens to device fingerprint (hash). Reject if fingerprint mismatch (token theft detection).
Recommended Medium
Concurrent Session Limit
Enforce max 3-5 concurrent sessions per user. Invalidate oldest on new login.
Recommended Medium