Validate mode
In validate mode, the JWT Module consumes a binary security token, which has the attribute type “urn:com:ibm:JWT”.
When the module consumes a JWT, the following operations are performed:
- The keys are resolved.
- The JWT is decrypted if it was encrypted.
- The JWT signature is verified if it was signed. If the JWT was encrypted, this step is performed on the payload of the decrypted JWT.
- The claims are validated.
- The STSUU is populated.
If the JWT is successfully decrypted and validated, then the STSUU attributes will contain the claims and context attributes. The claims will have the attribute type urn:com:ibm:JWT:claim. The context attributes will have one of the following values:
- urn:com:ibm:JWT:header
- urn:com:ibm:JWT:outer_header
- urn:com:ibm:JWT:signature
The following table shows the configuration properties.
Configuration property Description Can be provided via WS-Trust claims signing.alg The algorithm with which the JWT is signed. FALSE signing.symmetricKey The symmetric key used to perform signature validation. TRUE signing.db The keystore from which the certificate is sourced. TRUE signing.cert Certificate label from which the public keys are sourced. TRUE signing.jwksUri The JWKS URI from which the public key is retrieved. TRUE encryption.alg The algorithm used by the JWT for key management. FALSE encryption.enc The algorithm used by the JWT for content encryption. FALSE encryption.symmetricKey The symmetric key used for key management. TRUE encryption.db The keystore from which the private key is sourced. TRUE encryption.cert The label of the certificate containing private key to use for decrypting the encryption key. TRUE iss The Java regular expression matching the iss(issuer) claim. This value is optional.FALSE aud The Java regular expression matching the aud(audience) claim. This value is optional.FALSE sub The Java regular expression matching the sub(subject) claim. This value is optional.FALSE validateExp Whether the exp claim in the JWT is checked. This check requires the exp(expiration time) claim be set to a time in the future.FALSE validateNbf Whether the nbf(not before) claim in the JWT is checked. This check requires the nbf claim be set to a time in the past.FALSE validateSkew The skew to offset time checks with. FALSE When the module runs in validate mode, it converts the JWT into a populated STSUU. The following examples show some sample input JWT and the corresponding output STSUU.
Input example
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <SOAP-ENV:Body> <!-- <rst:RequestSecurityTokenCollection>--> <rst:RequestSecurityToken> <wsp:AppliesTo> <wsa:EndpointReference> <wsa:Address>validate</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:Issuer> <wsa:Address>validate</wsa:Address> </wst:Issuer> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02 /trust/Validate</wst:RequestType> <wst:Claims><signing.alg>HS256</signing.alg><signing. symmetricKey>superSecret</signing.symmetricKey></wst:Claims> <wst:Base> <wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org /wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss: EncodingType="http://ibm.com/2004/01/itfim/base64encode" wss: ValueType="urn:com:ibm:JWT">eyJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoi am9obiIsInRpdGxlIjoiTXIiLCJleHAiOjE0NjA0MzkxNzN9.BNkZM38PygNYb PzGSsd1Za8HmgUkn0aT0ImaJmBmKtU</wss:BinarySecurityToken> </wst:Base> </rst:RequestSecurityToken> <!--</rst:RequestSecurityTokenCollection>--> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Output example
<?xml version="1.0"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/> <soap:Body> <wst:RequestSecurityTokenResponseCollection xmlns:wst="http:// docs.oasis-open.org/ws-sx/ws-trust/200512"> <wst:RequestSecurityTokenResponse xmlns:wsu="http://docs.oasis-open.org /wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="uuid8f53fcc-0154-10f4-bfcd-ebb7b0604011"> <wsp:AppliesTo xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns: wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsa:EndpointReference> <wsa:Address>validate</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:RequestedSecurityToken> <stsuuser:STSUniversalUser xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser"> <stsuuser:Principal/> <stsuuser:AttributeList> <stsuuser:Attribute name="title" type="urn:com:ibm:JWT:claim"> <stsuuser:Value>Mr</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="exp" type="urn:com:ibm:JWT:claim"> <stsuuser:Value>1460439173</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="name" type="urn:com:ibm:JWT:claim"> <stsuuser:Value>john</stsuuser:Value> </stsuuser:Attribute> </stsuuser:AttributeList> <stsuuser:RequestSecurityToken/> <stsuuser:ContextAttributes> <stsuuser:Attribute name="header" type="urn:com:ibm:JWT"> <stsuuser:Value>{"alg":"HS256"}</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="signature" type="urn:com:ibm:JWT"> <stsuuser:Value>BNkZM38PygNYbPzGSsd1Za8HmgUkn0aT0ImaJmBmKtU </stsuuser:Value> </stsuuser:Attribute> </stsuuser:ContextAttributes> <stsuuser:AdditionalAttributeStatement/> </stsuuser:STSUniversalUser> </wst:RequestedSecurityToken> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate </wst:RequestType> <wst:Status> <wst:Code>http://docs.oasis-open.org/ws-sx/ws-trust/200512/status /valid</wst:Code> </wst:Status> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </soap:Body> </soap:Envelope>
Parent topic: JSON Web Token (JWT)