Hi Mike,
You can edit any authentication code in the PowerServer C# solution (a pure ASP.NET Core Web API). But I think it's better to get the Web API URL or database name using another REST API after authentication.
I can try to answer a few questions:
1) "the values that PS requires is not mentioned or defined anywhere. the token generation includes a few things like issuer and Audience, are they actually used by PS?"
PowerServer provides several authenticate templates including JWT. If you select Use built-in JWT Server, it will generate C# code in the UserExtensions project - Authentication folder. You can edit any code, including adding your own claims in the token (e.g.: see the Claims in DefaultUserStore.cs).
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. You can see the Issuer and Audience here: RFC 7519 - JSON Web Token (JWT) (ietf.org). A producer and consumer of a JWT MAY agree to use Claim Names that are Private Names: names that are not Registered Claim Names (Section 4.1) or Public Claim Names (Section 4.2).
2) "I also don't see in the PS c# code where the SecurityAlgorithms are setup - HmacSha256Signature ? or 512?"
Open TokenHandler.cs, then you can see the following code in CreateToken method:
// Loads the token key
var securityKey = _configuration["JwtSetting:SecurityKey"];
var symmetricKey = new SymmetricSecurityKey(Convert.FromBase64String(security key));
var credentials = new SigningCredentials(symmetricKey, SecurityAlgorithms.HmacSha256);
3) "I'm looking at building my own JWT auth service so that i can not only validate with my database, but also send back information in addition to the token (the URL of the PS web api , the database to use, etc.)"
Please note that with signed tokens, all the information contained within the token is exposed to users or other parties, even though they are unable to change it. This means you should not put secret information within the token.
4) "the PB GetJWTToken method retrieves the token from the HTTP client. To use this, what does the GetJWTToken require in terms of the returned format? Just {"token":"<token>"} in the body? is that based on a standard? or is GetJWTToken built for the PS specific implementation only? "
The current GetJWTToken method is the same as SendPostRequest - - PowerScript Reference (appeon.com). It only has a specific name so the code can be easier to read.
If you return the access_token string (e..g: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiMSIsInJvbGUiOiJhZG1pbiIsIm5iZiI6MTY5OTM0MDU3OCwiZXhwIjoxNjk5OTQ1Mzc4LCJpYXQiOjE2OTkzNDA1Nzh9.JrP69Nwh_1_gqAQA0UJx1FepNSPMmOYx9ole2Weh43k) in the response body, you can use it directly. Then call SetJWTToken to set the HTTP Header.
If you return a JSON structure (serialized from a Class, see TokenResponse.cs) like the JWT template in PowerServer, you have to add more code to parse the JSON and get the access_token. It's the same as SendPostRequest.
Regards, Logan
how does PS web api verify the token that is sent by PB? Does it call a URL that has validation code (slow), or does it have a copy of the secret key to generate the hash to compare it?