--- title: Handling encrypted tokens description: Configure the JSON web token (JWT) access token validator to accept encrypted access tokens. You must configure the access token validator with a private and public key pair and provide the public key to the token issuer. component: pingdirectory version: 11.0 page_id: pingdirectory:managing_access_control:pd_ds_handle_encrypted_tokens canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/managing_access_control/pd_ds_handle_encrypted_tokens.html revdate: July 3, 2024 section_ids: steps: Steps choose-from: Choose from: example: Example --- # Handling encrypted tokens Configure the JSON web token (JWT) access token validator to accept encrypted access tokens. You must configure the access token validator with a private and public key pair and provide the public key to the token issuer. ## Steps 1. Create an encryption key pair. 2. Create the JWT access token validator. 3. Export the public encryption key from the PingDirectory server and provide it to your token issuer. ### Choose from: * To copy the public key to a file, run `dsconfig`. * Copy the value of the key pair's `certificate-chain` property in the admin console. | | | | - | ----------------------------------------------------------------------------------------------------------------------------- | | | Without this public encryption key, the issuer cannot encrypt tokens that can be decrypted by the JWT access token validator. | ## Example The following example configures a JWT access token validator to handle access tokens signed and encrypted using elliptic curve algorithms. For RSA signing and encryption algorithms, the configuration is similar, but you choose different values for the `allowed-signing-algorithm` and `allowed-encryption-algorithm` properties. 1. Create an encryption key pair. ``` # Create an encryption key pair dsconfig create-key-pair \ --pair-name "JWT Elliptic Curve Encryption Key Pair" \ --set key-algorithm:EC_256 ``` 2. Create the JWT access token validator. ``` # Create an identity mapper that expects the token subject to be a uid dsconfig create-identity-mapper \ --mapper-name "User ID Identity Mapper" \ --type exact-match \ --set enabled:true \ --set match-attribute:uid \ --set match-base-dn:ou=people,dc=example,dc=com # Change the host name and port below, as needed dsconfig create-external-server \ --server-name "PingFederate External Server" \ --type http \ --set base-url:https://example.com:9031 # Create the Access Token Validator dsconfig create-access-token-validator \ --validator-name "JWT Access Token Validator" \ --type jwt \ --set enabled:true \ --set evaluation-order-index:1000 \ --set allowed-signing-algorithm:ES256 \ --set "authorization-server:PingFederate External Server" \ --set jwks-endpoint-path:/ext/oauth/jwks \ --set "encryption-key-pair:JWT Elliptic Curve Encryption Key Pair" \ --set allowed-key-encryption-algorithm:ECDH_ES --set "identity-mapper:User ID Identity Mapper" ``` 3. Export the public encryption key from the PingDirectory server and provide it to your token issuer. The following command copies the key to a file. ``` dsconfig get-key-pair-prop \ --pair-name "JWT Elliptic Curve Encryption Key Pair" \ --property certificate-chain \ --no-prompt \ --script-friendly > jwt-public-encryption-key.pem ```