PingDirectory

Handling encrypted tokens

Configure the JSON web token (JWT) access token validator to accept encrypted access tokens. You must configure the access token validator with a private and public key pair and provide the public key to the token issuer.

Steps

  1. Create an encryption key pair.

  2. Create the JWT access token validator.

  3. Export the public encryption key from the PingDirectory server and provide it to your token issuer.

    Choose from:

    • To copy the public key to a file, run dsconfig.

    • Copy the value of the key pair’s certificate-chain property in the administrative console.

      Without this public encryption key, the issuer cannot encrypt tokens that can be decrypted by the JWT access token validator.

Example

The following example configures a JWT access token validator to handle access tokens signed and encrypted using elliptic curve algorithms.

For RSA signing and encryption algorithms, the configuration is similar, but you choose different values for the allowed-signing-algorithm and allowed-encryption-algorithm properties.

  1. Create an encryption key pair.

    # Create an encryption key pair
    	dsconfig create-key-pair \
    	--pair-name "JWT Elliptic Curve Encryption Key Pair" \
    	--set key-algorithm:EC_256
  2. Create the JWT access token validator.

    # Create an identity mapper that expects the token subject to be a uid
    dsconfig create-identity-mapper \
    	--mapper-name "User ID Identity Mapper" \
    	--type exact-match \
    	--set enabled:true \
    	--set match-attribute:uid \
    	--set match-base-dn:ou=people,dc=example,dc=com
    
    # Change the host name and port below, as needed
    dsconfig create-external-server \
    	--server-name "PingFederate External Server" \
    	--type http \
    	--set base-url:https://example.com:9031
    
    # Create the Access Token Validator
    dsconfig create-access-token-validator \
    	--validator-name "JWT Access Token Validator" \
    	--type jwt \
    	--set enabled:true \
    	--set evaluation-order-index:1000 \
    	--set allowed-signing-algorithm:ES256 \
    	--set "authorization-server:PingFederate External Server" \
    	--set jwks-endpoint-path:/ext/oauth/jwks \
    	--set "encryption-key-pair:JWT Elliptic Curve Encryption Key Pair" \
    	--set allowed-key-encryption-algorithm:ECDH_ES
    	--set "identity-mapper:User ID Identity Mapper"
  3. Export the public encryption key from the PingDirectory server and provide it to your token issuer.

    The following command copies the key to a file.

    dsconfig get-key-pair-prop \
    	--pair-name "JWT Elliptic Curve Encryption Key Pair" \
    	--property certificate-chain \
    	--no-prompt \
    	--script-friendly > jwt-public-encryption-key.pem