JWT Access Token


The JWT Access Token profile describes a way to encode access tokens as a JSON Web Token, including a set of standard claims that are useful in an access token. JWT Access Token can be validated by the resource server directly, without contacting the authorization server.


  • Set up ISVAOP
  • Set up an application or relying party that supports authorization code flow

Configuring ISVAOP

Configuring provider.yml

  • The token_settings indicate access_token_type as jwt.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
  level: debug
  id: 1
  name: OIDC Definition
    - authorization_code
  base_url: https://isvaop.ibm.com:445/isvaop
  token_settings:                                           # Token Settings
    issuer: https://isvaop.ibm.com                          # OP's issuer URI.
    signing_alg: PS256                                      # Signing algorithm for ID token generated.
    signing_keystore: isvaop_signing                        # Signing keystore name.
    signing_keylabel: jwtsigning                            # Signing key label.
    access_token_type: jwt                                  # Indicates the access token format.
    key: ks:isvaop_keys/httpserverkey
    certificate: ks:isvaop_keys/httpservercert
  signing_keystore: isvaop_signing
  obf_key: "ENC:iUt+3MzCntxSL2FPTUuJqER79UaiRSApMz3cbgJm4yzuiv6H7KN8ADsamX6+Qre1oTsATjnb1bJ0Lmi7WWfxWeGT477yqqvgVayFlCDIFzZeNkdINjASfTE3B+/3Sm9YjIYuWtZdySiXeydhJXSiOGU9osdA9g2BZXR4eMrXNutCuaSvFH6MY+TyOH5q15vy6vEWOebJQHrnug0A8rN6NF8G8XaxCe/+yqH57jJpdhm0N7iUydIYOBOQ1wDgCc8nRMWkQqlkcRhDZvLLAIlhoshYvo06ubyryt8/vv/0AvTLq9AIiQoL8CtYLr+SNZlzWe4CnHYZdO9S+AIrUOVORw=="
  enc_key: "@keys/private.pem"

  • Read more about key management to be able to create a jwtsigning key to sign the id_token, and to create https_keys to configure server node.
  • secrets node defines secret data which can be used to obfuscate or encrypt entries within the YAML configuration documents. Read more about geerating the obf_key and enc_key in the document.

Configuring the static client

# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
client_id: client_jwt_accesstoken
client_secret: "OBF:U2FsdGVkX1989Y/UBwz1BNPbIkv0hgBTcoynJtlRt56hu3TGX+5Kdi4TJ6MLMYtO" # ahwoaor82noawasg is the secret in clear text.
client_name: "AuthorizationCode with JWT Access Token"
enabled: true
  - https://www.google.com
  - https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/redirect/partner
  - authorization_code
  - code
token_endpoint_auth_method: client_secret_post