Users have authenticated with your website and the app is using a JWT Bearer Token to establish identity. You don't want to bother users with an additional authentication.
Salesforce has very specific requirements how a JWT must be formed to qualify for authentication. For example the token can be valid only for 5 minutes. It is very unlikely that your token matches the requirements.
Therefore you will need to extract the user identity from existing token, while checking that it isn't spoofed and create a new token that you present to Salesforce to obtain the session token. So you need:
- The key that can be used to verify the existing token. This could be a simple String, used for symmetrical signature or an X509 Public Key
- A private key for Salesforce to sign a new JWT (See below)
- A configured Connected App in Salesforce where you upload they full certificate and obtain the Consumer Key
- Some place to run the code, like Heroku