Table of Contents
- Background
- Integration Types
- Auth Component Information
- System Coordination
- Implementation Milestones
Background
Questions? Email support@prosights.co.
The ProSights platform provides data extraction and intelligent spreadsheet capabilities through an API. The Recreate Widget is a Javascript widget that can be dropped into an existing Javascript application. ProSights supports three different authentication patterns depending on the integration type.
Integration Types
| Integration Type | User Experience | Authentication Implementation |
|---|---|---|
| API Only | N/A | API Secret based authentication |
| Login-less widget | Users are seamlessly authenticated into the ProSights widget | OAuth2.0 based verification flow |
This document describes the technical Authentication specifications required to enable the Login-less widget leveraging the secure OAuth2.0 based verification flow.
Auth Component Information
| Component | Details |
|---|---|
| Trust Model | Only the Enterprise Client IdP may sign tokens. ProSights never impersonates. |
| Token Type | Only OAuth2.0 JWTs |
| JWT Verification Library | PyJWT (MIT, 50.3M weekly downloads, 0 active CVEs) |
| JWKS Caching | In memory caching. Refreshed and cached each hour to pull latest JWKS. |
| Allowed Algorithms | RS256/384/512 |
| Encryption | In Transit: TLS 1.3+ E2E At Rest: AES-256 |
| Unauthenticated Failure Mode | Zero information leakage, non descript 401 error codes, no ability to interact with APIs |
| Required User Identifiers | Email or any unique identifier |
System Coordination
On each request sent through the ProSights login-less widget, ProSights guarantees that no unauthenticated requests will be served. To achieve this, we verify that the token passed through our widget is a valid OAuth2.0 token issued from the enterprise client’s IdP. We validate all mandatory claims, expiration, issuer, audience, and any other additional custom scopes that may be required.
Each enterprise client is physically and logically isolated in a separate VPC tenant, thus guaranteeing each firm is only able to access their data.
The below diagrams explain the flow in detail.
---
config:
theme: redux-dark-color
---
sequenceDiagram
title ProSights Widget × Client OAuth 2.0 Flow (JWT access token)
participant User
participant ClientApp
participant ProSightsWidget
participant ProSightsServer
participant ProSightsAuth
participant ClientIssuer
participant ProSightsWorkers
participant FileStorage
User->>ClientApp: Open widget
ClientApp->>ProSightsWidget: Render widget + bearer token
User->>ProSightsWidget: Upload file
ProSightsWidget->>ProSightsServer: API request + Authorization header
ProSightsServer->>ProSightsAuth: Validate JWT
%% --- JWKS discovery / fetch ---
ProSightsAuth->>ClientIssuer: GET /.well-known/openid-configuration
ClientIssuer-->>ProSightsAuth: jwks_uri
ProSightsAuth->>ClientIssuer: GET /jwks_uri
ClientIssuer-->>ProSightsAuth: JWKS (cached)
Note right of ProSightsAuth: Cache JWKS per ETag / max-age
ProSightsAuth-->>ProSightsServer: Signature & claims OK
alt Token valid
ProSightsServer->>ProSightsWorkers: Process file
ProSightsWorkers-->>ProSightsServer: Result
ProSightsServer-->>ProSightsWidget: Authenticated download link
ProSightsWidget->>FileStorage: GET file
FileStorage-->>User: File
else Invalid
ProSightsServer-->>ProSightsWidget: 401 • WWW-Authenticate: Bearer error="invalid_token"
end
The unsuccessful authentication flow differs only such that it returns 401s back to the client and does NOT allow for interaction with data or extraction APIs. Unsuccessful authentication attempts are logged for compliance and audits. These logs are available on request.
We perform the following checks on the following claims, using the well known JWKS. All time based checks allow a 5s clock skew by default, unless otherwise specified by the client.
| Claim | Check |
|---|---|
| signature | Signature exists in the well known JWKS |
| iss | iss == EnterpriseClientIDPUrl |
| exp | current_time <= exp |
| iat | iat <= current_time |
| nbf | current_time >= nbf |
| (optional) aud | aud == widget client id |
Implementation Milestones
| Milestone | Description | ProSights Action Required? | Client Action Required? |
|---|---|---|---|
| #1 | Fill out Authentication Questionnaire | NO | YES |
| #2 | Address any additional Enterprise Client authentication requirements | YES | YES |
| #3 | ProSights team adds configuration for Enterprise Client IdP | YES | NO |
| #4 | ProSights team to test authentication flow with Enterprise Client | YES | YES |
| #5 | Monitor rollout to additional users | YES | YES |
Questions? Email support@prosights.co.