You can configure a WebSphere® Application
Server to accept an inbound JSON Web Token (JWT) for authentication by using the same Trust
Association Interceptor (TAI) as the OpenID Connect (OIDC) relying party. The OIDC TAI can be
configured to locally validate or introspect JWTs.
Before you begin
Determine whether you want the OIDC TAI to locally validate your JWTs or introspect them.
If you want the TAI to locally validate the JWTs and to not act as an OIDC relying party, then
follow the steps in this task.
However, if you want to introspect the JWTs or want your TAI to also perform as an OIDC relying
party, follow the steps in
Configuring an OpenID Connect Relying
Party first, then follow this task. After you complete Step 3 of this task, use the following
information to determine the value for your
provider_<id>.useJwtFromRequest
property:
- If you want your TAI to also perform as an OIDC relying party, set the
provider_<id>.useJwtFromRequest
property to ifPresent.
- If you want to introspect your JWTs always, set the
provider_<id>.useJwtFromRequest
property to no, or do not
include the provider_<id>.useJwtFromRequest
property in your configuration.
About this task
This task shows how to configure the OIDC TAI to authenticate with a JWT only by using local
validation.
Procedure
-
In the administrative console, click
.
-
Click
to add an interceptor.
-
Enter the com.ibm.ws.security.oidc.client.RelyingParty interceptor class
name.
- Add custom properties for your environment.
For a list of the properties, see OpenID Connect Relying Party Custom Properties.
The following properties are required for JWT authentication.
provider_<id>.useJwtFromRequest
(must be set to
required)
provider_<id>.identifier
provider_<id>.issuerIdentifier
One of the following properties must be configured to obtain the JWT signer certificate.
provider_<id>.jwkEndpointUrl
provider_<id>.signVerifyAlias
One of the following properties must be configured to enable the OIDC TAI to intercept requests.
provider_<id>.interceptedPathFilter
provider_<id>.excludedPathFilter
provider_<id>.filter
The following properties must be configured when the JWT is encrypted:
provider_<id>.keyStore
provider_<id>.decryptAlias
provider_<id>.decryptKeyPassword
The following OIDC TAI properties are for use only with JWT authentication. They are
optional, but you might want to use them in your configuration.
provider_<id>.tokenReuse
provider_<id>.audiences
-
Click Apply and then click Save to save the
configuration updates.
Important: Do not click Save until after you click
Apply or the custom properties are discarded.
- Add the OpenID Connect Relying Party TAI class to
com.ibm.websphere.security.InvokeTAIbeforeSSO.
- Click and then click Custom
properties.
- Check the list for com.ibm.websphere.security.InvokeTAIbeforeSSO.
If the
com.ibm.ws.security.oidc.client.RelyingParty value does not exist, click
New, and define the following custom property information:
- Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
- Value: com.ibm.ws.security.oidc.client.RelyingParty
If the com.ibm.websphere.security.InvokeTAIbeforeSSO value exists, add
OIDC relying party to the value:
- Click com.ibm.websphere.security.InvokeTAIbeforeSSO.
- Add a comma to the end of the existing value.
- Add com.ibm.ws.security.oidc.client.RelyingParty after the comma.
- Click OK.
- Configure the trusted realms to include the JWT issuer.
- Click .
- In the User account repository section, click
Configure.
- In the Related Items section, click
.
- In the External realm name field, enter the issuer name that is
used by the JWT.
- Click OK.
- Optional: Add the issuer's public key to the truststore.
You don't need to add the issuer's public key unless you set the signVerifyAlias
property to a value.
-
In the administrative console, click .
Use CellDefaultTrustStore
instead of NodeDefaultTrustStore
for
a deployment manager.
-
Click Add.
-
Complete the certificate information.
In the Alias field, type the alias name that you specified for the
signVerifyAlias
TAI custom property.
- Click Apply.
- Restart the application server.
Results
The application server can now use inbound JSON Web Tokens for authentication.