Handling signed JWTs - PingAuthorize

Handling signed JWTs - PingAuthorize - 9.3

PingAuthorize 9.3

bundle

pingauthorize-93

ft:publication_title

PingAuthorize 9.3

Product_Version_ce

PingAuthorize 9.3 (Latest)

category

ContentType

Product

Productdocumentation

paz-93

pingauthorize

ContentType_ce

Product documentation

All access tokens the JSON web token (JWT) access token validator handles must be cryptographically signed by the token issuer. The JWT access token validator validates a token's signature using a public signing key provided by the issuer.

Configure the JWT access token validator with the issuer's public signing key in one of the following ways:

Store the public key as a trusted certificate in PingAuthorize Server's local configuration using the signing-certificate property.

The following example configures a JWT access token validator to use a locally stored public signing certificate to validate access token signatures. The signing certificate is assumed to have been obtained out of band and must be a PEM-encoded X.509v3 certificate.

# Add the public signing certificate to the server configuration
dsconfig create-trusted-certificate \
  --certificate-name "JWT Signing Certificate" \
  --set "certificate</path/to/signing-certificate.pem"

# Create the Access Token Validator 
dsconfig create-access-token-validator \
  --validator-name "JWT Access Token Validator" \
  --type jwt \
  --set enabled:true \
  --set allowed-signing-algorithm:RS256 \
  --set "signing-certificate:JWT Signing Certificate"

# Match the token's subject (sub) claim to the uid attribute 
# of a SCIM resource 
dsconfig create-token-resource-lookup-method \
  --validator-name "JWT Access Token Validator" \
  --method-name "User by uid" \
  --type scim \
  --set scim-resource-type:Users \
  --set 'match-filter:uid eq "%sub%"' \
  --set evaluation-order-index:1000

Provide the issuer's JSON Web Key Set (JWKS) endpoint using the jwks-endpoint-path property. The JWT access token validator then retrieves the issuer's public keys when it initializes. This method ensures that the JWT access token validator uses updated copies of the issuer's public keys.

The following example configures a JWT access token validator to retrieve public keys from a PingFederate authorization server's JWKS endpoint.

# Change the host name and port below, as needed 
dsconfig create-external-server \
  --server-name "PingFederate External Server" \
  --type http \
  --set base-url:https://example.com:9031 

# Create the Access Token Validator 
dsconfig create-access-token-validator \
  --validator-name "JWT Access Token Validator" \
  --type jwt \
  --set enabled:true \
  --set allowed-signing-algorithm:RS256 \
  --set "authorization-server:PingFederate External Server" \
  --set jwks-endpoint-path:/ext/oauth/jwks 

# Match the token's subject (sub) claim to the uid attribute 
# of a SCIM resource 
dsconfig create-token-resource-lookup-method \
  --validator-name "JWT Access Token Validator" \
  --method-name "User by uid" \
  --type scim \
  --set scim-resource-type:Users \
  --set 'match-filter:uid eq "%sub%"' \
  --set evaluation-order-index:1000