Configure the JSON web token (JWT) access token validator to accept encrypted access tokens. You must configure the access token validator with a private and public key pair and provide the public key to the token issuer.
The following example configures a JWT access token validator to handle access tokens signed and encrypted using elliptic curve algorithms.
For RSA signing and encryption algorithms, the configuration is similar, but you
choose different values for the allowed-signing-algorithm
and
allowed-encryption-algorithm
properties.
- Create an encryption key pair.
# Create an encryption key pair dsconfig create-key-pair \ --pair-name "JWT Elliptic Curve Encryption Key Pair" \ --set key-algorithm:EC_256
- Create the JWT access token validator.
# Create an identity mapper that expects the token subject to be a uid dsconfig create-identity-mapper \ --mapper-name "User ID Identity Mapper" \ --type exact-match \ --set enabled:true \ --set match-attribute:uid \ --set match-base-dn:ou=people,dc=example,dc=com # Change the host name and port below, as needed dsconfig create-external-server \ --server-name "PingFederate External Server" \ --type http \ --set base-url:https://example.com:9031 # Create the Access Token Validator dsconfig create-access-token-validator \ --validator-name "JWT Access Token Validator" \ --type jwt \ --set enabled:true \ --set evaluation-order-index:1000 \ --set allowed-signing-algorithm:ES256 \ --set "authorization-server:PingFederate External Server" \ --set jwks-endpoint-path:/ext/oauth/jwks \ --set "encryption-key-pair:JWT Elliptic Curve Encryption Key Pair" \ --set allowed-key-encryption-algorithm:ECDH_ES --set "identity-mapper:User ID Identity Mapper"
- Export the public encryption key from the PingDirectory
server and provide it to your token issuer.
The following command copies the key to a file.
dsconfig get-key-pair-prop \ --pair-name "JWT Elliptic Curve Encryption Key Pair" \ --property certificate-chain \ --no-prompt \ --script-friendly > jwt-public-encryption-key.pem