Page created: 31 Aug 2020
|
Page updated: 9 Feb 2021
Optionally, you can configure the JWT access token validator to accept encrypted access tokens. To do this, you must configure the access token validator with a private/public key pair and provide the public key to the token issuer.
allowed-signing-algorithm and
allowed-encryption-algorithm properties.- Create an encryption key
pair.
# Create an encryption key pair dsconfig create-key-pair \ --pair-name "JWT Elliptic Curve Encryption Key Pair" \ --set key-algorithm:EC_256 - Create the JWT access token
validator.
# Change the host name and port below, as needed dsconfig create-external-server \ --server-name "PingFederate External Server" \ --type http \ --set base-url:https://example.com:9031 # Create the Access Token Validator dsconfig create-access-token-validator \ --validator-name "JWT Access Token Validator" \ --type jwt \ --set enabled:true \ --set evaluation-order-index:1000 \ --set allowed-signing-algorithm:ES256 \ --set "authorization-server:PingFederate External Server" \ --set jwks-endpoint-path:/ext/oauth/jwks \ --set "encryption-key-pair:JWT Elliptic Curve Encryption Key Pair" \ --set allowed-key-encryption-algorithm:ECDH_ES # Match the token's subject (sub) claim to the uid attribute # of a SCIM resource dsconfig create-token-resource-lookup-method \ --validator-name "JWT Access Token Validator" \ --method-name "User by uid" \ --type scim \ --set scim-resource-type:Users \ --set 'match-filter:uid eq "%sub%"' \ --set evaluation-order-index:1000 -
Export the public encryption key from PingDataGovernance Server and provide it to your token issuer.
The following command copies the key to a file.dsconfig get-key-pair-prop \ --pair-name "JWT Elliptic Curve Encryption Key Pair" \ --property certificate-chain \ --no-prompt \ --script-friendly > jwt-public-encryption-key.pem