Package org.forgerock.openig.util
Class JwtFactoryConfigUtils
java.lang.Object
org.forgerock.openig.util.JwtFactoryConfigUtils
The JwtFactory supports securing of JWTs. Supported JWT types as follows:
- signed JWT
- signed then encrypted JWT
- encrypted JWT
- unsecured (unsigned JWT are not recommended, and deprecated as not secure)
Examples below based on JwtBuilderFilter usage:
{
"type": "JwtBuilderFilter",
"config": {
"secretsProvider": : Secrets Provider [OPTIONAL - resolve signing/encryption keys.]
"signature" : { object [OPTIONAL - but if set, inner attributes MAY BE REQUIRED]
"secretId" : expression [REQUIRED - secret ID of the key used for signing]
"includeKeyId" : expression [OPTIONAL - configure if the keyId (kid) should be set
in the JWT header - default is true.]
"algorithm" : expression [OPTIONAL - default to RS256 (1)]
"encryption" : { object [OPTIONAL but if set, inner attributes are REQUIRED]
"secretId" : expression [REQUIRED - secret ID of the key used for encryption]
"algorithm" : expression [REQUIRED - The encryption algorithm (2)]
"method" : expression [REQUIRED - The encryption method (3)]
}
}
"encryption" : { object [OPTIONAL but if set, inner attributes are REQUIRED]
"secretId" : expression [REQUIRED - secret ID of the key used for encryption]
"algorithm" : expression [REQUIRED - The encryption algorithm (2)]
"method" : expression [REQUIRED - The encryption method (3)]
}
}
}
(1) List of JWS Algorithms (2) List of JWE Algorithms (3) List of Encryption Methods
Example for signing a JWT:
{
"type": "JwtBuilderFilter",
"config": {
"signature": {
"secretId": "my.signature.key",
"algorithm": "HS384"
}
}
}
Example for signing then encrypting a JWT:
{
"type": "JwtBuilderFilter",
"config": {
"signature": {
"secretId": "my.signature.key",
"algorithm": "HS256",
"encryption": {
"secretId": "my.encryption.key",
"algorithm": "dir",
"method": "A128CBC-HS256"
}
}
}
}
Example for encrypting a JWT:
{
"type": "JwtBuilderFilter",
"config": {
"secretsProvider": "SystemAndEnvSecretStore-1"
"encryption": {
"secretId": "my.encryption.key",
"algorithm": "dir",
"method": "A128GCM"
}
}
}
-
Field Summary
Fields -
Method Summary
Modifier and TypeMethodDescriptionstatic Function<JsonValue,JwtFactory, HeapException> jwtFactory(Heap heap, SecretsProvider secretsProvider) Function supporting transformation of JSON configuration to aJwtFactoryinstance registered in the heap.static Function<JsonValue,JwtFactory, HeapException> signedJwtFactory(Heap heap, SecretsProvider secretsProvider) Function supporting transformation of JSON configuration to aJwtFactoryinstance registered in the heap.
-
Field Details
-
ENCRYPTION
Top level key of the encryption block.- See Also:
-
SIGNATURE
Top level key of the signature block.- See Also:
-
-
Method Details
-
jwtFactory
public static Function<JsonValue,JwtFactory, jwtFactoryHeapException> (Heap heap, SecretsProvider secretsProvider) Function supporting transformation of JSON configuration to aJwtFactoryinstance registered in the heap.- Parameters:
heap- The heapsecretsProvider- The required secrets provider to use- Returns:
- Function capable of transforming JSON value to
JwtFactoryinstance in the heap
-
signedJwtFactory
public static Function<JsonValue,JwtFactory, signedJwtFactoryHeapException> (Heap heap, SecretsProvider secretsProvider) Function supporting transformation of JSON configuration to aJwtFactoryinstance registered in the heap. This method supports signed and signed then encrypted tokens only.- Parameters:
heap- The heapsecretsProvider- The required secrets provider to use- Returns:
- Function capable of transforming JSON value to
JwtFactoryinstance in the heap
-