How NXLog Platform uses JSON Web Tokens (JWT)
NXLog Platform relies on JWT cookies for authenticated sessions. In short, a JSON Web Token consists of three parts:
-
The header contains information related to the generation algorithm and token type.
-
The payload includes the body and information about the JWT.
-
A signature, produced using a secret key, asserts that the token is from a trusted source.
JWT keys implementation
NXLog Platform components use the JWT signing keys when a user authenticates and for each API call to verify that the supplied JWT is signed by a trusted source.
NXLog Platform uses two keys for signing session cookies:
-
The SSO JWT signing key to sign Single Sign-On session cookies.
-
The Clients JWT signing key to sign client applications (e.g., the portal UI and agent management API) session cookies.
JWT key rotation
In the unlikely event that an attacker gets hold of your private keys, they could use them to attempt to access the system. However, NXLog Platform validates the request payload, so the attacker must also determine how to craft a valid payload.
We recommend periodically rotating the JTW singing keys to reduce the risk of your system getting compromised. Signing keys do not have specific format requirements, but we strongly advise using industry-standard formats for opaque strings.
You can set the JTW signing keys from Administration > Tenant Operations > Platform Configuration under the General section. See Platform configuration for more information.
Impact of changing the JWT signing keys
Existing client sessions are invalidated when you change the JWT signing keys and restart NXLog Platform. While this is not a critical issue, it impacts user experience since they need to re-authenticate. You should take this into consideration when deciding on the key rotation period. We recommend finding a suitable balance that does not comprise security or user experience.