Page created: 17 Dec 2020
|
Page updated: 1 Feb 2021
Optionally, you can configure the JWT access token validator to accept encrypted access tokens. To do this, you must configure the access token validator with a private/public key pair and provide the public key to the token issuer.
allowed-signing-algorithm
and
allowed-encryption-algorithm
properties.- Create an encryption key
pair.
# Create an encryption key pair dsconfig create-key-pair \ --pair-name "JWT Elliptic Curve Encryption Key Pair" \ --set key-algorithm:EC_256
- Create the JWT access token
validator.
# Create an identity mapper that expects the token subject to be a uid dsconfig create-identity-mapper \ --mapper-name "User ID Identity Mapper" \ --type exact-match \ --set enabled:true \ --set match-attribute:uid \ --set match-base-dn:ou=people,dc=example,dc=com # Change the host name and port below, as needed dsconfig create-external-server \ --server-name "PingFederate External Server" \ --type http \ --set base-url:https://example.com:9031 # Create the Access Token Validator dsconfig create-access-token-validator \ --validator-name "JWT Access Token Validator" \ --type jwt \ --set enabled:true \ --set evaluation-order-index:1000 \ --set allowed-signing-algorithm:ES256 \ --set "authorization-server:PingFederate External Server" \ --set jwks-endpoint-path:/ext/oauth/jwks \ --set "encryption-key-pair:JWT Elliptic Curve Encryption Key Pair" \ --set allowed-key-encryption-algorithm:ECDH_ES --set "identity-mapper:User ID Identity Mapper"
-
Export the public encryption key from PingDataGovernance Server and provide it to your token issuer.
The following command copies the key to a file.dsconfig get-key-pair-prop \ --pair-name "JWT Elliptic Curve Encryption Key Pair" \ --property certificate-chain \ --no-prompt \ --script-friendly > jwt-public-encryption-key.pem