Does IBM Single Sign On Service allows to use JWT tokens?

Question

Does IBM Single Sign On service allows to use JWT tokens, not cookie based session approach?

I have web project with backend in Node.js and frontend in Angular.js as separate applications. So I would need a SSO that works with JWT tokens.

Answer 1

You want to use the IBM Cloud App ID service which provides the single sign on capabilities (IBM SSO service has been deprecated). It provides openID Connect- and OAuth2-compliant authentication. The access and identity are JWTs (JSON Web Token).

I would recommend that you check out the related App ID Node.js SDK. There are samples that show integration with the passport framework. I have seen it in use with Angular.js apps.

Answer 2

There are two parts to your question: (1) Does IBM SSO use JWT tokens and (2) Can we use the JWTs as session tokens for an Angular app.

(1) IBM SSO service has been deprecated in favor of IBM Cloud App ID which manages identity for different types of identities (including anonymous and directory based) as well as profile management. The service is OAuth2/OIDC compliant and so the access and identity tokens that clients obtain are all JWT.

(2) Check out this blog on how to secure an Angular+Nodejs app with App ID. An important point here is whether you want to use the JWT you get from App ID as your session token. Remember that your App ID access token gives the bearer capability beyond that of the session identity (it give the bearer access to /userinfo and /attribute endpoints as well) so that unless you are ok with exposing this info to your frontend, create and manage your own JWT for session or use Express sessions.