JWT – Notiway

JWT

Cloud Agnostic

Open Source

Validates JSON Web Tokens against a JWKS endpoint. The recommended auth plugin for production deployments. The plugin extracts the user ID from the sub claim by default, configurable via NameClaimType.

Source code: Notiway.Plugins.Portable.Auth.JWT

Version

Compatibility


Compatible with	All Buffer, Broker, Storage, and Host plugins
Product	Notiway Notify

Installation

Environment Variables

Required

Variable	Description
`Infra__Plugins__Auth__Name`	Set to `JWT`
`Infra__Plugins__Auth__Version`	Plugin version (e.g., `0.9.0`)
`Infra__Plugins__Auth__Settings__Issuer`	Expected token issuer (e.g., `https://auth.example.com`)
`Infra__Plugins__Auth__Settings__Audience`	Expected token audience (e.g., `notiway-notify`)
`Infra__Plugins__Auth__Settings__JwksUri`	URL of the JWKS endpoint for key discovery (e.g., `https://auth.example.com/.well-known/jwks.json`)

Optional

Variable	Default	Description
`Infra__Plugins__Auth__Settings__ValidateIssuer`	`true`	Validate the token issuer
`Infra__Plugins__Auth__Settings__ValidateAudience`	`true`	Validate the token audience
`Infra__Plugins__Auth__Settings__ValidateLifetime`	`true`	Validate the token expiration
`Infra__Plugins__Auth__Settings__ValidateIssuerSigningKey`	`true`	Validate the signing key
`Infra__Plugins__Auth__Settings__ClockSkewSeconds`	`30`	Allowed clock skew in seconds for token expiration
`Infra__Plugins__Auth__Settings__NameClaimType`	`sub`	JWT claim used as the user ID for routing notifications

Infrastructure

JWKS endpoint must be accessible from the Notiway instance at the configured URL.
Tokens must contain a user ID claim — by default this is the sub claim, configurable via NameClaimType.

Docker Compose

docker-compose.yml

services:
  notiway:
    image: notiway/notify:portable-0.6.0
    ports:
      - "5000:8080"
    environment:
      - Infra__Plugins__Auth__Name=JWT
      - Infra__Plugins__Auth__Version=0.9.0
      - Infra__Plugins__Auth__Settings__Issuer=https://auth.example.com
      - Infra__Plugins__Auth__Settings__Audience=notiway-notify
      - Infra__Plugins__Auth__Settings__JwksUri=https://auth.example.com/.well-known/jwks.json

Usage

SignalR clients pass the JWT via the accessTokenFactory. The factory is called on every connection attempt, including automatic reconnects, so returning a fresh token each time avoids expired credentials.

const connection = new signalR.HubConnectionBuilder()
    .withUrl("https://your-gateway/notifications", {
        accessTokenFactory: () => getAccessToken()
    })
    .withAutomaticReconnect()
    .build();

var connection = new HubConnectionBuilder()
    .WithUrl("https://your-gateway/notifications", options =>
    {
        options.AccessTokenProvider = () => Task.FromResult(GetAccessToken());
    })
    .WithAutomaticReconnect()
    .Build();

final connection = HubConnectionBuilder()
    .withUrl(
        "https://your-gateway/notifications",
        options: HttpConnectionOptions(
            accessTokenFactory: () async => getAccessToken(),
        ),
    )
    .withAutomaticReconnect()
    .build();

let connection = HubConnectionBuilder()
    .withUrl(url: "https://your-gateway/notifications",
             options: HttpConnectionOptions(
                accessTokenFactory: { getAccessToken() }
             ))
    .withAutoReconnect()
    .build()

val connection = HubConnectionBuilder.create("https://your-gateway/notifications")
    .withAccessTokenProvider { getAccessToken() }
    .withAutoReconnect()
    .build()