Home

Awesome

CLI to generate JWT and access tokens for Webex 'Permanent Guest'

'Guest Issuer' applications allow guests (aka, non Webex users) to persistently use the Webex cloud platform through the Webex SDKs and Widgets. Check the online documentation for details.

The guestissuer command line interface (CLI) helps generate Guest tokens for 'Guest Issuer' applications.

To use the tool, you'll first need to create a 'Guest Issuer' application from Webex for Developers portal, and fetch your 'Guest Issuer' application's identifier and secret. Note that you need a Webex PAYING account to create 'Guest Issuer' applications.

Quick Start

To generate a Guest token, type the commands below in a terminal:

Note for Mac/Linux users: add sudo before each of the npm install commands below.

# Install the CLI
npm install guestissuer -g

# Create a JWT Guest token with the specified user info (expires in 90 minutes by default)
guestissuer create <userId> <userName> -i <issuerAppId> -s <issuerAppSecret> [-d <expirationDelay>]

# Fetch an access token for the Guest user (valid for 6 hours)
guestissuer login <guestToken>

You can even get there quicker with the quick command:

# Install the CLI
npm install guestissuer -g

# Create a Guest token, and fetch an access token right away (valid for 6 hours)
# Here, the JWT guest token is volatile (neither stored, not returned)
guestissuer quick <userId> <userName> -i <issuerAppId> -s <issuerAppSecret>

Detailled instructions

To install the guestissuer CLI, type:

```shell
npm install guestissuer -g
```

To create a JWT 'Guest token' for a 'Guest' user (non Webex users), type:

```shell
guestissuer [create] <userId> <userName> -i <issuerAppId> -s <issuerAppSecret> [-d <expirationDelay>]
```

Where:
    - `userId` is a user identifier unique to your 'Guest Issuer'. This identifier is used by the Webex cloud platform to persist user data among sessions. Understand: if another token gets generated with the same 'userId', the Guest user interacting with that token will see Spaces, Messages, and inherit Memberships from previous Webex interactions for this 'userId',
    - `userName` is used to identify the user in Webex spaces,
    - `expirationDelay` should be specified in seconds, defaults to 5400s (90min) from now.
    - the `issuerAppId` and `issuerAppSecret` tie to the 'Guest Issuer Application' created from the [Webex for Developers portal](https://developer.webex.com/add-guest.html).

Example (with verbose debugging info):

```shell
DEBUG=guest*  guestissuer create "123" "Stève" -i Y2lz...VzLMDY -s AMx/FPI...NABzD6o=
    guest arguments successfully checked +0ms
    guest successfully built Guest token: BDmh0rgbcVMfpklnyWfurxX5Y... +59ms
    guest Guest token is valid till XXXXX +1ms        
eyJhbGciOiJSUzI1NiJ9.eyJtYWN...uNDU1WiJ9.berce_d8vrRw6vDI....nMAlnYNj-f921mcqU
```

Note that:
    - instead of passing them through command line parameters, you can alternatively specify the 'Guest Issuer Application'  identifier and secret via environment variables `ISSUER` and `SECRET` 
    - the `create` command is the default's for guestissuer. You can omit it as in `guestissuer "123" "Stève" -i Y2lz...VzLMDY -s AMx/FPI...NABzD6o=`
    

Once you've got a JWT 'Guest token', you'll need to fetch an access token (valid for 6 hours).

```shell
guestissuer login <guestToken>
```

Note that:
   - the command uses the Webex API 's /jwt/login endpoint behind the scene.
   - the fetched accessed token is valid for 6 hours

To quickly check the data contained in a JWT token (guest or access token):

```shell
guestissuer verify --jwt <token>
```

To quickly the Person behind an access token (equivalent tp a GET /people/me request):

```shell
guestissuer verify --access <access_token>
```

Guest tokens

Guest tokens have a JWT format, and are signed with your 'Guest Issuer Application' secret so that Webex can be assured of its origin. It contains an expiration date so that Webex will refuse to generate access tokens - via the /jwt/login endpoint - after the expiration date.

Example of Guest token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiU3TDqHZlIiwiaXNzIjoiWTJselkyOXpjR0Z5YXpvdkwzVnpMMDlTUjBGT1NWcEJWRWxQVGk4ek9URTRPR00zTWkwd01ESTVMVF EzWVRRdFlqQXlOUzAxT0dFd1kyRTNORFZrTURZIiwiZXhwIjoxNTE3MDczMDE5fQ.imX0LgZ6LT-xlT3A6mzF5gyGN0S2ty2aUyjTM35E8y4    

Note that the Guest token also has a JWT format. If you decode it, you'll discover its contents. Go to https://jwt.io to decode it, or simply type: guestissuer verify --jwt <guest_token>

Decoded Header Section

{
  "alg": "HS256",
  "typ": "JWT"
}

Decoded Data section

{
  "sub": "123",
  "name": "Stève",
  "iss": "Y2lzY29zcGFyazovL3VzL09SR0FOSVpBVElPTi8zOTE4OGM3Mi0wMDI5LTQ3YTQtYjAyNS01OGEwY2E3NDVkMDY",
  "exp": 1517073019
}

Retreiving API access tokens for 'Guest' users

These tokens are generated from 'Guest tokens' by invoking Webex API 's /jwt/login endpoint They give access to the Webex API, SDKs and Widgets under the identity of the 'Guest' user.

To test an access token for a user, reach to the GET /people/me resource, paste the access token and run the request. Alternatively, you can type: guestissuer verify --access <access_token>

Example of Person details for an access token attached to a Guest user:

_Note that the person type is `bot` and the email is formed from `<user_id>@<decoded-org>`_

```json
{
    "id": "Y2lzY29zcGFyazovL3VzL1B....Q5YzgtODAzMS02OTY1NWM4MGI3Njc",
    "emails": [
        "123@39188c72-0029-47a4-b025-58a0ca745d06"
    ],
    "displayName": "Stève",
    "avatar": "https://00792fd90955bc2.....da928cc2123a400b.ssl.cf1.rackcdn.com/default_machine~80",
    "orgId": "Y2lzY29zcGFyazovL3VzL09SR0FOSVp...DI5LTQ3YTQtYjAyNS01OGEwY2E3NDVkMDY",
    "created": "2018-01-27T16:13:25.558Z",
    "type": "appuser"
}
```

Note that the issued token also has a JWT format. If you decode it, you'll discover its structure. Go to https://jwt.io, or simply type: guestissuer verify --jwt <token>

Decoded Header Section

{
  "alg": "RS256"
}

Decoded Data section

{
  "machine_type": "appuser",
  "expiry_time": 1517095624105,
  "user_type": "machine",
  "realm": "2a9e1....ad3c991b1b5",
  "cis_uuid": "8dcc341a...55c80b767",
  "reference_id": "b4f77f9.....204f3daac88",
  "iss": "https://idbroker.webex.com/idb",
  "token_type": "Bearer",
  "client_id": "C311772...1c2c82784a1f2975c",
  "token_id": "AaZ3r0t...0YzIxYzliZGE0NDNiOGRiYzctMmI1",
  "private": "eyJhbGciOiJkaXIiL...Tx45V0-PA",
  "user_modify_timestamp": "20180127172701.477Z"
}

Tip : Adding a 'Permanent Guest' to a space

The general use case for "Permanent Guest" is to call an existing Webex user, and create a space and add Bots or Webex users to the space.

Sometimes, you may be interested to add a 'Permanent Guest' to an existing space (or newly created space). You'll hit a difficulty here since 'Permanent Guest' cannot be reached via their Webex email. Simply use the personId in the POST /membership - Create a membership resource. Note that you can get the Webex personId of a "Permanent Guest" through a GET /people/me request issued with the "Permanent Guest" access token.