A jwt is comprised of 3 sections of url base64 encoded strings of data separated by a period. The first 2 sections are JSON objects while the last section is a digital signature that has been url base64 encoded. The sections are as such:
- header - A small JSON object that specifies what type of algorithm was used to generate the digital signature. This section is denoted in the below example in red.
- payload - A JSON object that contains the data being sent from one party to another. This is where all request data the merchant sends to Cardinal lives, and vise versa. This section is denoted in the below example in green.
- signature - A url base64 encoded hash value of the header and payload. This is used to verify the contents of the jwt have not been tampered with. Signatures are generated using a shared secret value so only the creator and consumer have the ability to create the signature. As long as the shared secret stays a secret between the 2 parties no one should be able to spoof the signature. Signatures are verified by the consumer recreating the hash value and checking that it matches to the one attached to the jwt. This section is denoted below in blue.
JWT and Cardinal Cruise
Cardinal Cruise leverages JWT's as a vehicle to send signed data to and from the merchant. The Merchant is required to send a JWT on any valid Cardinal Cruise request. They can optionally send additional, or newer data by using Songbird to append additional data to your request. However JWT's are the preferred method of passing data, as the data is signed and we can verify that it has not been tampered with. Data sent by Songbird does not include this additional layer of security. Cardinal will always reply back with a JWT signed with the merchants Api Key when it can. This allows the merchant the ability to validate that the response from Cardinal has not been tampered with.
Request JWT's are JWT's that have been created by the merchant to be sent to Cardinal. These JWT's are, at minimum, used to authenticate the merchant with Cardinal Servers.
An authentication JWT is a JWT being used simply to authenticate the merchant. This means there is no transactional data with the JWT payload. This is done by omitting the 'Payload' claim in the JWT. These are generally used when a merchant is relying on passing all transactional data via Songbird. Below is a sample JSON structure of a authentication JWT.
Transactional JWT for Cruise API Example
A Transactional JWT for the Cardinal Cruise API integration is a JWT that includes an Account Object payload within the JWT. This is the preferred method of integration as the card bin to full card number has been signed and can be easily verified by the Cardinal systems. In addition, if a merchant only stores the card bin to full card number within their backend system, then this method provides a way to bring the card bin to the web layer.
A ReturnUrl can also be included to know when Device Data Collection completed, please see below ReturnUrl field in the Custom Claims
Within the JWT payload object, fields are considered 'Claims'. There are 2 basic types of claims, common and custom. A common claim is a claim that has been predefined by the JWT spec and should be used in a standard way. This allows 2 parties to communicate with common fields with little to no planning. Custom claims are claims that are custom to a particular implementation. They're basically fields defined by people using the JWTs that will only have meaning within their application(s).
The JWT spec defines some common fields that can be used to send data back and forth. These fields are all lower case and limited to 3 characters. Cardinal Cruise is currently using the following fields within our JWT:
|jti||JWT Id - A unique identifier for this JWT. This field should change each time a JWT is generated.||Y|
|iat||Issued At - The epoch time in seconds of when the JWT was generated. This allows us to determine how long a JWT has been around and whether we consider it expired or not.||Y|
|iss||Issuer - An identifier of who is issuing the JWT. We use this value to contain the Api Key identifier or name.||Y|
|aud||Audience - Cardinal populates this field on response JWT to contain the request jti field. This allows merchant to match up request JWTs with response JWTs.||Y|
|exp||Expiration - The numeric epoch time that the JWT should be consider expired. This value is ignored if its larger than 2hrs. By default we will consider any JWT older than 2hrs.||N|
These are fields that are specific to Cardinal Cruise and will not work with any other JWT related service
The merchant SSO OrgUnitId
|Payload||The JSON data object being sent to Cardinal. This object is usually an Order object||Y|
This is a merchant supplied identifier that can be used to match up data between Device Fingerprinter and Centinel. Centinel can then use data collected by Device Fingerprinter to run decisions on like XML rules to affect the results of transactions.
This field is Required, unless merchant decides to use the SessionId returned from Songbird or Device Data Collection url.
|ObjectifyPayload||A boolean flag that indicates how Centinel Api should consume the Payload claim. When set to true, this tells Centinel Api the Payload claim is an object. When set to false, the Payload claim is a stringified object. Some Jwt libraries do not support passing objects as claims, this allows those who only allow strings to use their libraries without customization||N|
The confirm url Cardinal should redirect users to when the user has been redirected away from your website to complete an alternative payment brand. This url will need to receive a post with the response JWT.
|ReturnUrl||The ReturnUrl is a claim used within the Cardinal Cruise API integration that allows for the integrator to know when the Device Data Collection and StepUpUrl interactions completed. ||N|
Object vs String Payload Claim
This section relates to the Payload custom claim, which resides within the Payload section of the JWT.
Some JWT libraries do not allow claims to be passed as objects. Due to this we added support for Centinel Api to support both an object payload claim or a serialized object payload claim. By default Centinel Api will assume that the payload claim is a JSON object literal. If the custom claim 'ObjectifyPayload' exists with a value of 'false' then Centinel Api will treat the Payload field as a serialized JSON object. If ObjectifyPayload is omitted from the Payload section of the JWT then a value of true for ObjectifyPayload is assumed, meaning the default payload claim parsing is as an object literal.
However the request came into Centinel Api, Centinel Api will responde back with a JWT structured in the same way. So if a merchant sends a serialized payload with the ObjectifyPayload flag set to false, Centinel Api will respond with a JWT with a serialized Payload and ObjectifyPayload set to false.
Below is a sample of a serialized payload claim request jwt