JWT Password Replay node

RAPID only

The JWT Password Replay node stores the user’s password in an encrypted JSON Web Token (JWT). The node retrieves a secret from the secret store using a configured secret label identifier to encrypt the JWT. The encrypted JWT is then stored as a session property.

You can then configure PingGateway to extract this session property using the token returned by a successful authentication journey.

This node is intended for use with legacy applications that require a password for authentication where delegation isn’t an option.

Example

Use the JWT Password Replay node with PingGateway to capture and replay username-password credentials.

Place the node after successful user validation so that the computational expense of generating a JWT only occurs for authenticated users. For example:

Availability

Product	Available?
PingOne Advanced Identity Cloud	Yes
PingAM (self-managed)	Yes
Ping Identity Platform (self-managed)	Yes

Product

Available?

PingOne Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

The node reads the password field from shared state.

Dependencies

A secret in the secret store to encrypt the JWT.

Configuration

Property Usage

Property	Usage
Encryption Key Secret Label Identifier	Advanced Identity Cloud uses this identifier to create a specific secret label for this node. The secret label takes the form `am.authentication.nodes.jwt.replay.identifier.encryption` , where `identifier` is the value of Encryption Key Secret Label Identifier. The identifier can only contain alphanumeric characters (`a-z`, `A-Z`, `0-9`) and periods (`.`). It can’t start or end with a period.
JWT Session Property Name	The session property that stores the JWT at the end of the journey. The default is `sunIdentityUserPassword`, which is recognized by PingGateway. For security reasons, don’t allowlist this session property.

Encryption Key Secret Label Identifier

Advanced Identity Cloud uses this identifier to create a specific secret label for this node. The secret label takes the form am.authentication.nodes.jwt.replay.identifier.encryption , where identifier is the value of Encryption Key Secret Label Identifier.

The identifier can only contain alphanumeric characters (a-z, A-Z, 0-9) and periods (.). It can’t start or end with a period.

JWT Session Property Name

The session property that stores the JWT at the end of the journey.

The default is sunIdentityUserPassword, which is recognized by PingGateway.

For security reasons, don’t allowlist this session property.

Outputs

The node stores the JWT as the session property defined in the node configuration.

Outcomes

Success: The node created and stored the JWT successfully.
Error: The password was missing from state or the encryption secret couldn’t be retrieved.

Errors

If the node encounters an error, it logs one of the following messages:

Missing password: No password found in state to create JWT for password replay
Missing secret: No active encryption key secret found for purpose secret label

Authentication nodes