Skip to content
Last update: April 23, 2024

JSON Web Token Authorization Mechanism

Our platform uses OAuth2 protocol with JSON Web Tokens (JWT) for authentication. This mechanism supports Password, RefreshToken, and ClientCredentials flows. Tokens issued by the platform are signed with a private key and can be validated using either a public certificate or an Authority URL. Configuration for certificates and Authority URL is specified in the Auth section of the appsettings.json file.

The guide includes the following steps:

  1. Creation of self-signed certificates for signature and validation of tokens using OpenSSL.
  2. OAuth2 authorization using client credential flow.

Create Self-signed Certificates for Signature and Validate Tokens Using OpenSSL

To create self-signed certificates for signature and validate tokens:

  1. Generate a private key:

    1. Run:

      openssl.exe genpkey -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -pass file:certpass.txt -des3 -out virtocommerce.key
    2. Specify a password for the private key in the certpass.txt file.

  2. Generate a certificate by running:

    openssl.exe req -x509 -nodes -days 3650 -key virtocommerce.key -config certconfig.txt -extensions req_ext -passin file:certpass.txt -out virtocommerce.crt
    Example of certconfig.txt file
    [ req ]
    default_md = sha256
    prompt = no
    req_extensions = req_ext
    distinguished_name = req_distinguished_name
    [ req_distinguished_name ]
    commonName =
    countryName = RU
    stateOrProvinceName = Kaliningrad
    organizationName = Virtocommerce
    [ req_ext ]
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    subjectAltName = @alt_names
    [ alt_names ]
    DNS.0 =
  3. Create PFX container for private key and certificate by running:

    openssl.exe pkcs12 -export -out virtocommerce.pfx -inkey virtocommerce.key -in virtocommerce.crt


    The system does not accept private keys smaller than 2048 Bits.

OAuth2 Authorization using Client credential flow

To authorize client applications (for example, Storefront), use the Client credential flow mechanism of OAuth2 protocol:

  1. In the main menu, click Security.
  2. In the next blade, select OAuth applications.
  3. In the next blade, click Add in the toolbar.
  4. In the next blade, fill in the following fields:

    OAuth application


    Client Id and Client secret are generated automatically. Save them, as the system will not allow you to view already saved Client secret.


    You can change Client Id and Client secret only during the creation of a new application (you will not be able to change them later). You can also specify a Display Name for more information.

  5. Click OK to save the changes.

New OAuth2 client has been created. Now the client application is able to authorize requests to the API using the previously created Client Id and Client secret.

In Storefront, all you need to do is specify the Client Id, Client secret created earlier, and the authorization server in the Endpoint section of the appsettings.json file.