JWT Access Token
Overview
The JWT Access Token profile describes a way to encode access tokens as a JSON Web Token, including a set of standard claims that are useful in an access token. JWT Access Token can be validated by the resource server directly, without contacting the authorization server.
Prerequisites
- Set up ISVAOP
- Set up an application or relying party that supports authorization code flow
Configuring ISVAOP
Configuring provider.yml
- The token_settings indicate access_token_type as jwt.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
logging:
level: debug
definition:
id: 1
name: OIDC Definition
grant_types:
- authorization_code
base_url: https://isvaop.ibm.com:445/isvaop
token_settings: # Token Settings
issuer: https://isvaop.ibm.com # OP's issuer URI.
signing_alg: PS256 # Signing algorithm for ID token generated.
signing_keystore: isvaop_signing # Signing keystore name.
signing_keylabel: jwtsigning # Signing key label.
access_token_type: jwt # Indicates the access token format.
server:
ssl:
key: ks:isvaop_keys/httpserverkey
certificate: ks:isvaop_keys/httpservercert
jwks:
signing_keystore: isvaop_signing
secrets:
obf_key: "ENC:iUt+3MzCntxSL2FPTUuJqER79UaiRSApMz3cbgJm4yzuiv6H7KN8ADsamX6+Qre1oTsATjnb1bJ0Lmi7WWfxWeGT477yqqvgVayFlCDIFzZeNkdINjASfTE3B+/3Sm9YjIYuWtZdySiXeydhJXSiOGU9osdA9g2BZXR4eMrXNutCuaSvFH6MY+TyOH5q15vy6vEWOebJQHrnug0A8rN6NF8G8XaxCe/+yqH57jJpdhm0N7iUydIYOBOQ1wDgCc8nRMWkQqlkcRhDZvLLAIlhoshYvo06ubyryt8/vv/0AvTLq9AIiQoL8CtYLr+SNZlzWe4CnHYZdO9S+AIrUOVORw=="
enc_key: "@keys/private.pem"
- Read more about key management to be able to create a
jwtsigning
key to sign the id_token, and to createhttps_keys
to configureserver
node. secrets
node defines secret data which can be used to obfuscate or encrypt entries within the YAML configuration documents. Read more about geerating the obf_key and enc_key in the document.
Configuring the static client
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
client_id: client_jwt_accesstoken
client_secret: "OBF:U2FsdGVkX1989Y/UBwz1BNPbIkv0hgBTcoynJtlRt56hu3TGX+5Kdi4TJ6MLMYtO" # ahwoaor82noawasg is the secret in clear text.
client_name: "AuthorizationCode with JWT Access Token"
enabled: true
redirect_uris:
- https://www.google.com
- https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/redirect/partner
grant_types:
- authorization_code
response_types:
- code
token_endpoint_auth_method: client_secret_post
Updated over 1 year ago