Below are the steps to configure custom authentication with JwtCustomAuthenticator.

1. In order to deploy this example, compile the source code and create a JAR file containing the JwtCustomAuthenticator.class. Copy the created JAR file into the TSS installation folder\tomcat\webapps\spotfire\WEB-INF\lib or if you are on 10.3.x or above copy the JAR to "TSS installation folder\\10.3.2\tomcat\custom-ext "
2. Open TIBCO Spotfire Server Config tool and go to the "External Authentication" tab on left panel under the "Configuration" tab
3. Enable External Authentication. In source, enter the below details
   • Type: Custom Authenticator
   • Class name: com.spotfire.example.JwtCustomAuthenticator
   • Initialization parameters:
     • jws_alg
     • jwk_url
4. Save the configuration
5. Restart the server

1. When the external authentication site redirects to TIBCO Spotfire Server, it should have a Cookie with name "ACCESS_TOKEN" which has the JWT token. This JWT token should have at least the following claims: iss, sub, name, email.
2. Below are the Initialization parameters required:
   • jws_alg - the JWS algorithm (from the EC or RSA families) with which the JWT is expected to be signed
   • wk_url - the URL to a JWK Set with the keys needed to verify the JWT signature

• server.jar  found in C:\tibco\tss\10.3.0\tomcat\webapps\spotfire\WEB-INF\lib
• servlet-api.jar found in  C:\tibco\tss\10.3.0\tomcat\lib

• https://docs.tibco.com/pub/spotfire_server/7.8.0/doc/api/TIB_sfire_server_Custom_Authentication_Filter_API_Reference/com/spotfire/example/JwtCustomAuthenticator.html
• https://docs.tibco.com/pub/spotfire_server/10.3.0/doc/api/TIB_sfire_server_Server_Platform_API_Reference/com/spotfire/server/security/CustomAuthenticator.html