JWT access token validator
The JWT access token validator verifies access tokens that are encoded in JWT format, which can be signed in JSON web signature (JWS) format or signed and encrypted in JSON web encryption (JWE) format.
The JWT access token validator inspects the JWT token without presenting it to an authorization server for validation. Because the JWT access token validator doesn’t make a token introspection request for every access token that it processes, it performs faster than the PingFederate access token validator. The access token is self-validated however, so the JWT access token validator cannot determine whether the token has been revoked.
Supported JWS/JWE features
For signed tokens, the JWT access token validator supports the following JWT web algorithm (JWA) types:
-
RS256
-
RS384
-
RS512
-
ES256
-
ES384
-
ES512
For encrypted tokens, the JWT access token validator supports the following key-encryption algorithms:
-
RSA-OAEP
-
ECDH-ES
-
ECDH-ES+A128KW
-
ECDH-ES+A192KW
-
ECDH-ES+A256KW
For encrypted tokens, the JWT access token validator supports the following content-encryption algorithms:
-
A128CBC-HS256
-
A192CBC-HS384
-
A256CBC-HS512
The JWT access token validator configuration defines three allow lists for the JWS/JWE signing and encryption algorithms that it will accept. You should customize these allow lists to reflect only the signing and encryption algorithms used by your access token issuer and no others. Doing so minimizes the access token validator’s security threat surface.
Configure these allow lists using the following configuration properties.
Property | Description |
---|---|
|
Specifies the signing algorithms that the access token validator accepts. |
|
Specifies the key-encryption algorithms that the access token validator accepts. |
|
Specifies the content-encryption algorithms that the access token validator accepts. |