PingFederate Server

Configuring a JWT Token Processor 2.0 instance

The PingFederate Security Token Service (STS) provides validation for any JSON Web Token (JWT).

Before you begin

Use the Type tab on the Create Token Processor Instance window to begin configuring a JWT token processor 2.0 instance. See Selecting a token processor type.

About this task

The following procedure describes how to use the Instance Configuration tab on the Create Token Processor Instance window to continue configuring a JWT token processor 2.0 instance.

This feature supports the OAuth 2.0 Token Exchange and WS Trust specifications. JWT token processor 2.0 offers more functions than does JWT token processor 1.2.

Screenshot of the Instance Configuration tab for a JWT token processor 2.0
Screenshot of the Instance Configuration tab for JWT token processor 2.0

Steps

  1. On the Create Token Processor Instance window, go to the Instance Configuration tab.

  2. Specify one or more Allowed Issuers and a JWKS or JWKS URL for each allowed issuer.

    PingFederate uses the JWKS or JWKS URL to get the validation keys for the issuer.

  3. Specify one or more Allowed Audiences.

    This setting is optional unless you select the Require Audience check box.

  4. Specify which of the following token claims are required:

    • Audience (aud)

    • Expiration time (exp)

    • Issued at time (iat)

    • Not before time (nbf)

    By default, the aud and exp claims are required, and the iat and nbf claims are not required.

  5. Optional: Click Show Advanced Fields and change the default value for any of the following settings:

    • Default Cache Configuration, which sets the number of minutes to cache the JWKS

      This feature affects JWKS caching only when you specify a JWKS URL for an Allowed Issuer and the JWKS URL response doesn’t indicate a cache time. This feature doesn’t apply when you specify a JWKS for an allowed issuer.

    • Allowed Clock Skew for exp and nbf claims

    • Max Future Validity, which limits the lifetime of the token

  6. Click Save.

Next steps

After selecting the token processor type, go to the Extended Contract tab to continue configuring the token processor instance. See Extending a token processor contract.