Token Anatomy

Table of Contents

Admin Token
Customer Token

The following document will briefly discuss the default claims inside a Broadleaf JWT and what they’re used for. Standard JWT claims will be noted, but not discussed in depth. Refer to RFC7519 for in depth discussion on these claims.

Admin Token

For admin, we’ll look at the following token:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiI1REYxMzYzMDU5Njc1MTYxQTg1RjU3NkQiLCJhcHBsaWNhdGlvbl9hY2Nlc3MiOnRydWUsImFkbWluX3VzZXJfaWQiOiItMiIsIm1heCI6MTYyNjIzMzMxOSwidXNlcl9uYW1lIjoibWFzdGVyQHRlc3QuY29tIiwiaXNzIjoiYnJvYWRsZWFmLWF1dGhlbnRpY2F0aW9uIiwidGVuYW50X2FjY2VzcyI6dHJ1ZSwiYXV0aG9yaXRpZXMiOlsiREVMRVRFX1NBTkRCT1giLCJBTExfU0FOREJPWCIsIlJFQURfU0FOREJPWCIsIkNSRUFURV9TQU5EQk9YIiwiU0FOREJPWCIsIlVQREFURV9TQU5EQk9YIl0sImNsaWVudF9pZCI6ImFkbWluIiwiYXVkIjpbImJyb2FkbGVhZi1hdXRoZW50aWNhdGlvbiIsIm9hdXRoMi1yZXNvdXJjZSJdLCJlbWFpbF9hZGRyZXNzIjoibWFzdGVyQHRlc3QuY29tIiwiZnVsbF9uYW1lIjoiR2xvYmFsIE1hc3RlciIsInVzZXJfdHlwZSI6IkFETUlOIiwidXNlcl9pZCI6Ii0yIiwic2NvcGUiOlsiU0FOREJPWCJdLCJleHAiOjE2MjYxOTA0MTksImp0aSI6ImIyMWFhMjQ5LTY2OTEtNDU5My05MWUwLWNiOWU3YjRlYzI1NSJ9.gFseU-xio2ZD8ByWJldTiekkoZNOmUfPny6QNsDkxdpYumVMVRVUZ9USfQO8tRPVjVxEHZlk3Q2VC3EeOTHToY1WMUj9II1J4GV2T1uc_t_QzPb9eo2vp5BRTPhR0tFK6Dxjuh_lF1gMnN-8HEfHIhIIlWmuGwN4WW-4wweyYO0qRGt4WZgWUU0vyG-7dzb8_pdkjL7uy5mX6HNlTk-lXBpLNpjIbDZxer8CckyP8lsei-Q3wYm3gubfIXI_ePW2HOl-x9ujSYHu63YsgbSHNyAoceYT4CM-epVpuR5Zd63CACsJRKhRL4yFwcOaVKytBuvIBI1OuqObiS-Z7KHO5Q

The payload, when decoded:

{
  "tenant_id": "5DF1363059675161A85F576D",
  "application_access": true,
  "admin_user_id": "-2",
  "max": 1626233319,
  "user_name": "master@test.com",
  "iss": "broadleaf-authentication",
  "tenant_access": true,
  "authorities": [
    "DELETE_SANDBOX",
    "ALL_SANDBOX",
    "READ_SANDBOX",
    "CREATE_SANDBOX",
    "SANDBOX",
    "UPDATE_SANDBOX"
  ],
  "client_id": "admin",
  "aud": [
    "broadleaf-authentication",
    "oauth2-resource"
  ],
  "email_address": "master@test.com",
  "full_name": "Global Master",
  "user_type": "ADMIN",
  "user_id": "-2",
  "scope": [
    "SANDBOX"
  ],
  "exp": 1626190419,
  "jti": "b21aa249-6691-4593-91e0-cb9e7b4ec255"
}

Table 1. Admin Token Claims
Claim	Description
tenant_id	The tenant ID for this user
application_access	Indicates whether this admin has application level access.
admin_user_id	The admin’s user ID from the admin user service.
max	The maximum date that this token will still be valid for.
user_name	The username.
tenant_access	Indicates whether this admin has tenant level access.
authorities	The user’s authorities.
email_address	The user’s email address.
full_name	The user’s full name.
user_type	The user type.
user_id	The admin’s user ID in the auth service.
scope	The scopes that this token is valid for.
client_id	The authorized client ID. Refers to an Authorized Client in the auth service.
iss	Standard claim. Issuer.
aud	Standard claim. Audience.
exp	Standard claim. Token expiration time.
jti	Standard claim. JWT ID.

Customer Token

For a customer, we’ll look at the following token:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiI1REYxMzYzMDU5Njc1MTYxQTg1RjU3NkQiLCJhcHBsaWNhdGlvbl9hY2Nlc3MiOnRydWUsIm1heCI6MTYyNjIzNTQyOSwidXNlcl9uYW1lIjoiY3NjaG5laWRlckBicm9hZGxlYWZjb21tZXJjZS5jb20iLCJpc3MiOiJicm9hZGxlYWYtYXV0aGVudGljYXRpb24iLCJjdXN0b21lcl9jb250ZXh0X2lkcyI6WyIyIl0sImF1dGhvcml0aWVzIjpbIlJFQURfQ09OVEVOVCIsIlJFQURfUFJPRFVDVCIsIlJFQURfVFlQRV9BSEVBRCIsIkNSRUFURV9DVVNUT01FUl9SRVRVUk4iLCJSRUFEX0FTU0VUIiwiUkVBRF9DVVNUT01FUl9QUk9GSUxFIiwiUkVBRF9URU5BTlQiLCJSRUFEX1BSSUNFX0xJU1QiLCJBTExfQ1VTVE9NRVJfUFJPRklMRSIsIlVTRVIiLCJDVVNUT01FUl9VU0VSIiwiREVMRVRFX0NVU1RPTUVSX1BST0ZJTEUiLCJSRUFEX0NVU1RPTUVSX0VOVElUTEVNRU5UIiwiUkVBRF9PRkZFUiIsIlJFQURfTUVOVSIsIlVQREFURV9DVVNUT01FUl9QUk9GSUxFIiwiUkVBRF9DQU1QQUlHTiIsIlJFQURfQ1VTVE9NRVJfUkVUVVJOIiwiQ1JFQVRFX0NVU1RPTUVSX1BST0ZJTEUiLCJSRUFEX0NVU1RPTUVSX09SREVSIiwiUkVBRF9DQVRFR09SWSJdLCJjbGllbnRfaWQiOiJoZWF0Y2xpbmljIiwiYXVkIjpbImJyb2FkbGVhZi1hdXRoZW50aWNhdGlvbiIsIm9hdXRoMi1yZXNvdXJjZSJdLCJlbWFpbF9hZGRyZXNzIjoiY3NjaG5laWRlckBicm9hZGxlYWZjb21tZXJjZS5jb20iLCJmdWxsX25hbWUiOiJDaHJpcyBTY2huZWlkZXIiLCJ1c2VyX3R5cGUiOiJDVVNUT01FUiIsInVzZXJfaWQiOiIwMUY5SEI1TlRHMDdFUDFSWDBCWE04MDZKRiIsInNjb3BlIjpbIkNVU1RPTUVSX1VTRVIiLCJVU0VSIl0sImV4cCI6MTYyNjE5MjUyOSwiY3VzdG9tZXJfaWQiOiIwMUY5SEI1TkdKUlA1SzEwNTlaQlFEMDdRMSIsImp0aSI6IjUyMTg5NGI5LWU5MzMtNGZkZi1hMDk2LThhOGVkMTAyMzE4ZiJ9.CXYfsfGQx8WqLvTQAm_uN-49r_wdmQxWZ2dqPt8Q3ZGceIk75upwwoTlvfX-9AuxEnSK8Vlarla3mRygJuc-SM73ROsGKahIRSW7IFPxOADs5xeI1l5DioiL_cZRyl8Ac1y1weAxCDXbvjTMnjGbry1ouXl_HP34rSUyYLx_p-hN_BAaY4Rbn9YnY2XBLYv9TLnLHJ77N7eeuiwHdBIccQmwZyWsqc2PaDkP03K8bGIylW_VD1QT6804H87AUPkuRuDCEvIGsADmFla6eIy3uH8RcAC310NSt3yQ-elI_DQuOJS6x2kbpKV8bTw-zTsLkpQhMm9P2MiYowDO-A850g

The payload, when decoded:

{
  "tenant_id": "5DF1363059675161A85F576D",
  "application_access": true,
  "max": 1626235429,
  "user_name": "cschneider@broadleafcommerce.com",
  "iss": "broadleaf-authentication",
  "customer_context_ids": [
    "2"
  ],
  "authorities": [
    "READ_CONTENT",
    "READ_PRODUCT",
    "READ_TYPE_AHEAD",
    "CREATE_CUSTOMER_RETURN",
    "READ_ASSET",
    "READ_CUSTOMER_PROFILE",
    "READ_TENANT",
    "READ_PRICE_LIST",
    "ALL_CUSTOMER_PROFILE",
    "USER",
    "CUSTOMER_USER",
    "DELETE_CUSTOMER_PROFILE",
    "READ_CUSTOMER_ENTITLEMENT",
    "READ_OFFER",
    "READ_MENU",
    "UPDATE_CUSTOMER_PROFILE",
    "READ_CAMPAIGN",
    "READ_CUSTOMER_RETURN",
    "CREATE_CUSTOMER_PROFILE",
    "READ_CUSTOMER_ORDER",
    "READ_CATEGORY"
  ],
  "client_id": "heatclinic",
  "aud": [
    "broadleaf-authentication",
    "oauth2-resource"
  ],
  "email_address": "cschneider@broadleafcommerce.com",
  "full_name": "Chris Schneider",
  "user_type": "CUSTOMER",
  "user_id": "01F9HB5NTG07EP1RX0BXM806JF",
  "scope": [
    "CUSTOMER_USER",
    "USER"
  ],
  "exp": 1626192529,
  "customer_id": "01F9HB5NGJRP5K1059ZBQD07Q1",
  "jti": "521894b9-e933-4fdf-a096-8a8ed102318f"
}

Table 2. Customer Token Claims
Claim	Description
tenant_id	The tenant ID for this user
application_access	Indicates whether this admin has application level access.
max	The maximum date that this token will still be valid for.
user_name	The username.
iss	Standard claim. Issuer.
customer_context_ids	The customer contexts that this user belongs to.
authorities	The user’s authorities.
client_id	The authorized client ID. Refers to an Authorized Client in the auth service.
aud	Standard claim. Audience.
email_address	The user’s email address.
full_name	The user’s full name.
user_type	The user type.
user_id	This customer’s user ID in the auth service.
scope	The scopes that this token is valid for.
exp	Standard claim. Token expiration time.
customer_id	This user’s customer ID in the customer service.
jti	Standard claim. JWT ID.