PingDirectory

JWT access token validator

The JWT access token validator verifies access tokens that are encoded in JSON Web Token (JWT) format, which can be signed in JSON web signature (JWS) format or signed and encrypted in JSON web encryption (JWE) format.

The JWT access token validator inspects the JWT token without presenting it to an authorization server for validation. Because the JWT access token validator does not make a token introspection request for every access token that it processes, it performs faster than the PingFederate access token validator. The access token is self-validated, so the JWT access token validator cannot determine whether the token has been revoked.

Supported JWS/JWE features

For signed tokens, the JWT access token validator supports the following JWT web algorithm (JWA) types:

  • RS256

  • RS384

  • RS512

  • ES256

  • ES384

  • ES512

For encrypted tokens, the JWT access token validator supports the following key-encryption algorithms:

  • RSA-OAEP

  • ECDH-ES

  • ECDH-ES+A128KW

  • ECDH-ES+A192KW

  • ECDH-ES+A256KW

For encrypted tokens, the JWT access token validator supports the following content-encryption algorithms:

  • A128CBC-HS256

  • A192CBC-HS384

  • A256CBC-HS512

The JWT access token validator configuration defines three allow lists for the JWS/JWE signing and encryption algorithms that it accepts. Customize these allow lists to reflect only the signing and encryption algorithms used by your access token issuer and no others. This minimizes the access token validator’s security threat surface.

Configure these allow lists using the following configuration properties:

allowed-signing-algorithm

Specifies the signing algorithms that the access token validator accepts.

allowed-key-encryption-algorithm

Specifies the key-encryption algorithms that the access token validator accepts.

allowed-content-encryption-algorithm

Specifies the content-encryption algorithms that the access token validator accepts.

Learn more about the configuration options for a JWT access token validator.