Skip to content
ricochet

Detecting the Current User

Ricochet lets your apps and APIs identify the user making each request. Each request, ricochet injects an X-Ricochet-User HTTP header containing a signed JSON Web Token (JWT) with a claim containing that user’s information.

An app deployed to ricochet can use this JWT to tailor its behavior based on the authenticated user.

The X-Ricochet-User token is a JWT whose claims describe the current user:

ClaimDescription
subUser ID as provided by your configured identity provider (IdP).
nameUser display name as configured in ricochet.
emailUser email, if provided by the configured IdP.
roleUser role on the ricochet server, one of: admin, developer, or consumer.
groupsArray of group IDs the user belongs to.
audContent ID of the item the token was generated for.
iatTime the token was issued, in UTC.
expTime the token expires, in UTC.

Each JWT has an expiry and is issued for a specific content item, stored in the exp and aud claims respectively. Verify the token before you accept it: aud must match the RICOCHET_CONTENT_ID environment variable, exp must not have passed, and the signature must be valid.

Ricochet signs each token and publishes the corresponding public key as a JSON Web Key Set (JWKS) at RICOCHET_HOST/.well-known/jwks.json. Ricochet strips any inbound X-Ricochet-User header before issuing its own, so clients cannot spoof the token.

The verification flow is the same in any language:

  1. Fetch the JWKS from RICOCHET_HOST/.well-known/jwks.json.

  2. Read the X-Ricochet-User header from the incoming request.

  3. Decode and verify the token’s signature using the public key.

  4. Confirm the aud claim matches your content’s ID, read from the RICOCHET_CONTENT_ID environment variable.

  5. Confirm the token has not expired (exp).

Use a maintained JWT library rather than parsing the token by hand. The examples below use jose in R and PyJWT in Python.

library(jose)
# replace with your ricochet host
ricochet_url <- "https://try.ricochet.rs"
content_id <- Sys.getenv("RICOCHET_CONTENT_ID")
# fetch the public key
jwks <- yyjsonr::read_json_conn(
file.path(ricochet_url, ".well-known", "jwks.json"),
arr_of_objs_to_df = FALSE
)
pubkey <- read_jwk(jwks$keys[[1]])
# token is the value of the X-Ricochet-User header
claims <- jwt_decode_sig(token, pubkey)
# verify the audience matches this content item
if (!identical(claims$aud, content_id)) {
stop("Invalid `aud` claim.")
}
claims$name

How you read the X-Ricochet-User header depends on your framework.

Have questions? Start a discussion on GitHub.