Generating JWT token in production

My client is moving from LogMeIn (formerly Citrix) GoToWebinar to Zoom to run their online webinars. They sell access to these webinars on their website. The only thing they use it for is registering customers in webinars, thus just one api call is used. The same is applicable for Zoom, so it’s pretty simple.

I have created a JWT app and have successfully implemented the api call into their Dev website which is a ColdFusion site. I have been testing with the manually generated token within the JWT app, setting it for one week. No problems whatsoever.

Now I want to move it to production but automatically generate the token and am not clear on (a) how to do that or (b) how long the token should last. With the old LogMeIn app, the token expired after 1 hour so it was necessary to run a procedure (using curl) to refresh the token hourly and store it in our SQL db. I am now trying to figure out what or how this works with Zoom. The documentation I read indicates it should only last about 90 seconds which to me means I would have to create a new token before every registrant api process from the website which seems rather onerous. I’d prefer to create a new token for either daily or weekly use.

Also, the JWT.io library has nothing on Curl so not sure I can do it the same way it’s being done now with LogMeIn. Is anyone using Curl to create a JWT token or can direct to where I can find information on this?

I am also not clear as to whether the process is to “create” a new token each time, or is it “refreshing” the previous token; i.e. are the tokens dependent on each other?

Any direction or clarification would be most appreciated.

Thanks.

generating a new JWT is normally very simple and not burdensome in any computational way. It’s best for the code who needs to use the JWT to generate it just before use.

If your ColdFusion site’s code has a layer of abstraction between the database (where the JWT seems to be currently stored), it would be best to store some of the JWT attributes in the database and then the code retrieve the attributes and generate the JWT prior to the rest of the ColdFusion site actually using it.

CURL can issue the HTTP request, but it can’t create and sign the JWT. You need some other process for handling that. There’s a bunch of samples online for doing that in various scripting languages. You could cobble together something that creates an hourly JWT if you really need.

Yes, it is possible to have a month long JWT, but the longer a single JWT is valid the higher risk of replay attacks you have. Replay attacks and the ease of generating a new JWT is often why you will read generating a new one every minute or so.

Adam, thanks for the response. Much appreciated. I was looking at the libraries in JWT.io and there is one for ColdFusion but not being familiar with github and the documentation being rather skimpy I think I’ll post another question referencing ColdFusion experience to get some feedback.

Thanks

Thanks for stepping in, @adam-sercante!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.