Authentication and Authorization
Access to the Cisco Business Dashboard API is authenticated using access keys. Access keys are created by logging on to the Dashboard GUI and navigating to Administration > Users. Each access key inherits the permissions and organizations of the associated user, and may have a limited lifetime or be allowed to be used indefinitely. Consult the Cisco Business Dashboard Administration Guide for more details on creating access keys and managing permissions and organizations.
Once an access key is obtained, it is used by the application to generate a signed JWT to use as a bearer token. A JSON Web Token (JWT) – see RFC 7519 for details is an open industry standard method for representing claims securely between two parties.
Creating a JWT
A JWT is composed of three parts: a header, a claim set, and a signature. The header and claim set are JSON objects. These JSON objects are serialized to UTF-8 bytes, then encoded using the Base64url encoding. This encoding provides resilience against encoding changes due to repeated encoding operations. The header, claim set, and a signature are concatenated together with a period (.) character.
A JWT is composed as follows:
{Base64url encoded header}.{Base64url encoded claim set}.{Base64url encoded signature}
The base string for the signature is as follows:
{Base64url encoded header}.{Base64url encoded claim set}
Forming the JWT header
The header consists of three fields that indicate the signing algorithm, the format of the assertion and the identity of the key used to sign the JWT. All fields are mandatory, and each field has only one value. This header may be updated in future versions of the API as additional algorithms and formats are introduced.
Cisco Business Dashboard supports the HS256 algorithm and the JWT token format. As a result, the JSON representation of the header is as follows:
{
"alg": "HS256",
"typ": "JWT",
"kid": "5c789fd2441ea30008ea8beb"
}
- alg – The signature algorithm. Must be set to "HS256" (HMAC SHA-256)
- typ – The type must be "JWT"
- kid – The key ID of the access key being used for authentication
The JWT header should be serialized to UTF-8 and Base64url-safe encoded.
Forming the JWT claim set
The JWT claim set contains information about the JWT, including the permissions being requested (scopes), the target of the token, the issuer, the time the token was issued, and the lifetime of the token. Most of the fields are mandatory. Like the JWT header, the JWT claim set is a JSON object and is used in the calculation of the signature.
Required claims
The required claims in the JWT claim set are shown below. They may appear in any order in the claim set.
| Name | Description |
|---|---|
| iss | The issuer claim identifies the application in use. The issuer should be a globally unique identifier in domain name format. |
| cid | The client id identifies the instance of the application. See below for more details. |
| appver | The version of the third-party application. |
| aud | The audience claim must be set to "business-dashboard.cisco.com". |
| iat | The issued at claim should be set to the time the JWT is generated, specified in seconds since the epoch (1970-01-01 UTC). |
| exp | The expiration time after which the JWT is no longer valid, specified in seconds since the epoch (1970-01-01 UTC). |
Client ID claim
Every third-party application instance should generate an unique Client ID (UUID recommended) and include it as the "cid" claim in the JWT. The Client ID will be used to identify the instance of the API client for three purposes:
- To Track subscriptions to event notifications for each application instance.
- To track license usage in cases where application licenses are controlled by the Manager.
- Each instance of an application is identified separately in the API usage reports.
The Complete Claim Set
The JSON representation of the required fields in a JWT claim set is shown below:
{
"iss": "myapp.example.com",
"cid": "8b77a3ac-7e84-49da-923b-365d753646ba",
"appver": "1.0",
"aud": "business-dashboard.cisco.com",
"iat": 1556698088,
"exp": 1556701688
}
Like the JWT header, the JWT claim set should be serialized to UTF-8 and Base64url-safe encoded.
Computing the signature
JSON Web Signature (JWS) (described in RFC 7515) is the specification that guides the mechanics of generating the signature for the JWT. The input for the signature is the byte array of the following content:
{Base64url encoded header}.{Base64url encoded claim set}
The signing algorithm in the JWT header must be used when computing the signature. The only signing algorithm supported by Cisco Business Dashboard is the HMAC SHA-256 signature algorithm. This is expressed as HS256 in the alg field in the JWT header.
The signature output will be a byte array. The signature must then be Base64url encoded. The header, claim set, and signature are concatenated together with a period (.) character. The result is the JWT. It should be of the following form (line breaks added for clarity):
{Base64url encoded header}.
{Base64url encoded claim set}.
{Base64url encoded signature}
Authenticating Requests
When sending requests to the API, the signed JWT should be included as the bearer token in the Authorization header:
GET /api/v2/nodes HTTP/1.1
Authorization: Bearer SIGNED_JWT
Host: www.example.com
JWT Lifetime
A JWT will no longer be valid, if:
- The access key used to sign the JWT has expired or been disabled or been deleted.
- The current time is later than the expiration time specified by "exp" claim.
Given that expiration time is set by the application but is validated by the Dashboard, both application and Dashboard should have an accurate idea of time. It is recommended that both application and Dashboard be synchronized to a common reference time source using the Network Time Protocol (NTP) or similar.
In order to ensure security and prevent against reuse attacks, the JWT lifetime should be limited and the JWT renewed periodically. However, extremely short JWT lifetimes of only a few seconds should be avoided due to problems caused by clock skew resulting from poorly synchronised clocks. A JWT lifetime on the order of one hour is suggested.