--- title: Handling signed tokens description: The token issuer must cryptographically sign all access tokens that the JSON web token (JWT) access token validator handles. The JWT access token validator validates a token's signature using a public signing key provided by the issuer. component: pingdirectory version: 11.0 page_id: pingdirectory:managing_access_control:pd_ds_handle_signed_tokens canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/managing_access_control/pd_ds_handle_signed_tokens.html revdate: August 28, 2024 page_aliases: ["pd_ds_use_locally_config_trusted_cert.adoc", "pd_ds_use_issuer_jwks_endpoint.adoc"] section_ids: steps: Steps choose-from: Choose from: example-use-a-locally-configured-trusted-certificate: "Example: Use a locally configured trusted certificate" example-use-the-issuers-jwks-endpoint: "Example: Use the issuer's JWKS endpoint" --- # Handling signed tokens The token issuer must cryptographically sign all access tokens that the JSON web token (JWT) access token validator handles. The JWT access token validator validates a token's signature using a public signing key provided by the issuer. ## Steps * Configure the JWT access token validator with the issuer's public signing key: ### Choose from: * Store the public key as a trusted certificate in the server's local configuration using the `trusted-certificate` property. * Provide the issuer's JSON Web Key Set (JWKS) endpoint using the `jwks-endpoint-path` property. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To ensure that the JWT access token validator uses updated copies of the issuer's public keys, the validator checks the configured JWKS endpoint in the following cases:- When the validator initializes - If the validator can't find a suitable key for verification in its current set of keys | ## Example: Use a locally configured trusted certificate The following example configures a JWT access token validator to use a locally stored public signing certificate to validate access token signatures. The signing certificate is assumed to have been obtained out-of-band and must be a PEM-encoded X.509v3 certificate. ``` # Create an identity mapper that expects the token subject to be a uid dsconfig create-identity-mapper \ --mapper-name "User ID Identity Mapper" \ --type exact-match \ --set enabled:true \ --set match-attribute:uid \ --set match-base-dn:ou=people,dc=example,dc=com # Add the public signing certificate to the server configuration dsconfig create-trusted-certificate \ --certificate-name "JWT Signing Certificate" \ --set "certificate