To make user attributes available in a signed JSON web token (JWT) sent to the application in a header, create a JWT identity mapping.
Define the JSON Web Token (JWT) issuer and signing configuration in the Configuring auth token management procedure.
When configuring identity mappings, the dot notation is supported so that session token structure can be maintained. For example, if the session token contains the following entry:
{
"address": {
"line1": "123 Any St",
"line2": "Apt 123",
"city": "Anytown",
"state": "CO",
"zip": "12345"
}
}
You can define an identity mapping using the entries in the following table to maintain the structure of the target JWT.
User attribute name | JWT claim name |
---|---|
address.line1 |
address.line1 |
address.line2 |
address.line2 |
address.city |
address.city |
address.state |
address.state |
address.zip |
address.zip |
PingAccess engines provide a JWKS (JSON Web Key Set) endpoint at /pa/authtoken/JWKS that backend sites can use to validate the signature of the JWT.
Backend sites can use the JWKS (JSON Web Key Set) endpoint that PingAccess engines provide at /pa/authtoken/JWKS to validate the JWT signature.