Configuration - JSON Web Token

The ‘[jwt:<jct-id>]’ configuration stanza allows us to generate and insert a signed JSON Web Token (JWT) into a HTTP header of requests destined for the junctioned Web server. A generated JWT is valid for the lifetime of the WebSEAL user session.

When configuring the JWT support the following information is required:

1. The label of the key which will be used to sign the generated JWT. This key must exist within the keyfile used for communication with the junctioned servers (defined by either the ‘jct-cert-keyfile’ or ‘webseal-cert-keyfile’ configuration entries). The key identifier field (kid) in the JWT header contains this key label and identifies the key which should be used to verify the JWT;

2. The list of claims (or attributes) which should be added to the JWT. The claim can either be a literal string or can be obtained from specified credential attributes. The following standard claims will be automatically added to each generated JWT:
   1. nbf (not-before): This attribute is set to the current time, less 120 seconds.
   2. iat (issued-at): This attribute is set to the current time.
   3. exp (expiration-time): This attribute is set to the time at which the user session expires (lifetime).
   4. jti (jwt-id): This attribute will be set to a random UUID.

3. The name of the HTTP header which contains the generated JWT.

An example configuration, for the ‘/app’ junction would be:

#
# The JWT stanza is used to control the generation of JSON Web Tokens for the # specified junction. The '{jct-id}' refers to the junction point for a
# standard junction (include the leading '/'), or the virtual host label for a
# virtual host junction.
#

[jwt:/app]

# The label associated with the server key used to sign the JWT. This # key must exist in the key file used to secure junction communication
# (i.e. defined by the jct-cert-keyfile or webseal-cert-keyfile configuration
# entries).
key-label = jwt

# A claim which is to be added to the generated JWT. The format for each
# configuration entry is:
# [text|attr]:<value>{:<claim-name>}#
# where:
# text : Used to indicate that literal text will be added as the claim. The
# text can be qualified with a 'type' (delimited by a dot). The
# valid types include: bool, string, int. If no type is specified
# the value will be added to the JWT as a string.
# attr : Used to indicate the claim will be obtained from a credential
# attribute.
# <value> : The claim value, which will either be a literal string, or the # name of a credential attribute. The '*' and '?' pattern
# matching characters can be used to match multiple attributes.
# Pattern matching characters will be ignored if the # '<claim-name>' is specified. If the value is a literal string
# an array of values can be specified by surrounding the string with
# square brackets ([]). Each individual value should then be
# delimited by a comma (the comma can be escaped with a backslash
# character if a literal comma is required in the value). If the
# value is the name of an attribute an array will only be created
# if the attribute contains multiple values.
# <claim-name> : The name of the claim to be added to the JWT. Nested objects
# can be specified, separating the name of each object field
# with a . (dot). If the name of a field itself embeds a dot
# it should be escaped with a backslash character (e.g. \.)

# The configuration entry can be specified multiple times, once for each
# claim which should be added to the JWT.
#
# For example:
# claim = text::www.ibm.com::iss
# claim = attr::AZN_CRED_PRINCIPAL_NAME::sub
# claim = attr::AZN_*
claim = text::https://www.ibm.com::iss
claim = attr::AZN_CRED_PRINCIPAL_NAME::sub
claim = attr::AZN_CRED_GROUPS::groups

# The name of the HTTP header which will contain the generated JWT.
hdr-name = jwt

Refer to the ‘[jwt:<jct-id>]’ stanza

Parent topic: JSON Web Tokens in HTTP Headers