If you are not familiar with the JWT standard please check here for resources. Please also find at jwt.io a useful debugger and a JWT library for your preferred platform.
About our API:
Check if your user has a valid session using the Session method. If they don't have a session at all, or their session is not valid, redirect them to SSO login page, you can get this url from the LoginUrl method.
Every request made to your server should call the Session method to get the validity of the session.
Make sure to pass in the query string your appcode and url:
auth2.comscore.com?p=[myurl]&a=[myappcode]
Don't forget to begin your URL with https:// and remember to query string escape it
The user will be redirected back to the url you provided in the query string.
The JWT token will be inside the jwt query string key
https://yoururl.com/?jwt=abcd.efgh.jklm
Make sure to verify the JTI to avoid a replay attack, SSO will never send you the same token twice
The optional ValidateToken method is available if you do not have the ability to validate jti, or other claims.
Call this API's User method to get the user's information (You should only call this method once per session)
To call the API's user method, you will need to form your own JWT token in order to verify your application's identity
The iss claim of the token is your AppCode
The sub claim of the token is the sub (session key) you received from the first token
Sign the token using HS256 and the CipherKey (UTF8) you were given
DO NOT PLACE THE USER INFORMATION IN A COOKIE. Doing this will make your application vulnerable to a user impersonating others and granting themselves unauthorized access rights.
You can also consider creating your own session key in addition to the one given to you by SSO. This allows you to manage your session lifetime at your own whim.
SSO has involved session management policies and procedures; make sure the session is still valid every request. The user may have been disabled, or logged in on another computer
See step #1