Configuration
The ‘[jwt:<jct-id>]’ configuration stanza allows you to generate and
insert a signed JSON Web Token into a HTTP header of requests destined for the junctioned Web
server. A generated JWT is valid for the lifetime of the WebSEAL user session.
When configuring the JWT support the following information is required:
- The label of the key which will be used to sign the generated JWT. This key must exist within
the keyfile which is used for communication with the junctioned servers (defined by either the
‘
jct-cert-keyfile’ or ‘webseal-cert-keyfile’ configuration entries). The key identifier field (kid) in the JWT header contains this key label and identifies the key which should be used to verify the JWT; - The list of claims (or attributes) which should be added to the JWT. The claim can either be a
literal string or can be obtained from specified credential attributes. The following standard
claims will be automatically added to each generated JWT:
- nbf (not-before): This attribute is set to the current time, less 120 seconds.
- iat (issued-at): This attribute is set to the current time.
- exp (expiration-time): This attribute is set to the time at which the user session expires (lifetime).
- jti (jwt-id): This attribute will be set to a random UUID.
- The name of the HTTP header which contains the generated JWT.
An example configuration, for the ‘
/app’ junction would
be:#
# The JWT stanza is used to control the generation of JSON Web Tokens for the
# specified junction. The '{jct-id}' refers to the junction point for a
# standard junction (include the leading '/'), or the virtual host label for a
# virtual host junction.
#
[jwt:/app]
# The label associated with the server key which is used to sign the JWT. This
# key must exist in the key file which is used to secure junction communication
# (i.e. defined by the jct-cert-keyfile or webseal-cert-keyfile configuration
# entries).
key-label = jwt
# A claim which is to be added to the generated JWT. The format for each
# configuration entry is:
# [text|attr]:<value>{:<claim-name>}
#
# where:
# text : Used to indicate that literal text will be added as the claim. The
# text can be qualified with a 'type' (delimited by a dot). The
# valid types include: bool, string, int. If no type is specified
# the value will be added to the JWT as a string.
# attr : Used to indicate that the claim will be obtained from a credential
# attribute.
# <value> : The claim value, which will either be a literal string, or the
# name of a credential attribute. The '*' and '?' pattern
# matching characters can be used to match multiple attributes.
# Pattern matching characters will be ignored if the
# '<claim-name>' is specified. If the value is a literal string
# an array of values can be specified by surrounding the string with
# square brackets ([]). Each individual value should then be
# delimited by a comma (the comma can be escaped with a backslash
# character if a literal comma is required in the value). If the
# value is the name of an attribute an array will only be created
# if the attribute contains multiple values.
# <claim-name> : The name of the claim to be added to the JWT. Nested objects
# can be specified, separating the name of each object field
# with a . (dot). If the name of a field itself embeds a dot
# it should be escaped with a backslash character (e.g. \.)
# The configuration entry can be specified multiple times, once for each
# claim which should be added to the JWT.
#
# For example:
# claim = text::www.ibm.com::iss
# claim = attr::AZN_CRED_PRINCIPAL_NAME::sub
# claim = attr::AZN_*
claim = text::https://www.ibm.com::iss
claim = attr::AZN_CRED_PRINCIPAL_NAME::sub
claim = attr::AZN_CRED_GROUPS::groups
# The name of the HTTP header which will contain the generated JWT.
hdr-name = jwt
Refer to the ‘[jwt:<jct-id>]’ stanza in the stanza reference for further
details on configuring the JWT support. See [jwt:<jct-id>.