JWT Utility
JWT utility
Use this utility to issue JWT or validate JWT.
To use this utility, add this line at the beginning of your JavaScript:
importClass(Packages.com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient);
1. Issuing a JWT
To issue a JWT, call the following method:
var result = JwtUtility.issueJWT(settings, claims, headers);
| Name | Data type | Required | Description |
|---|---|---|---|
| settings | JwtIssuerSettings | Yes | Settings used to issue the JWT. |
| claims | JS map | Yes | JSON payload of the issued JWT. |
| headers | JS map | No | Extra JWT headers. |
| result | JwtIssuerResult | - | The operation result. |
1.1. JwtIssuerSettings
This class is a setting builder when a JWT is issued.
The following example shows how to create the JwtIssuerSettings object.
var settings = new JwtIssuerSettings()
.signAlgorithm("ES256")
.signUseAsymmetricKey("rt_signstore", "server")
.encryptAlgorithm("RSA-OAEP-256", "A256GCM")
.encryptUseAsymmetricKey("rt_encryptstore", "client01rsa")
.encryptUseCompression()
.setSubject("US2FQSHNFE")
.setIssuer("https://www.myidp.com")
.setAudience(["client01", "https://resource.com"])
.generateJTI()
.setLifetimeInSeconds(3600);
| Method | Description | Arguments |
|---|---|---|
| signAlgorithm(alg) | Set the signing algorithm | string. See: Supported Algorithms. |
| signUseAsymmetricKey(keystore, keylabel) | Set the keystore and label of the private key that is used for asymmetric signing. | string, string |
| signUseSymmetricKey(secret) | Set the secret used for symmetric signing. | string |
| encryptAlgorithm(alg, enc) | Set the key and content encryption algorithms. | string. See: Supported Algorithms |
| encryptUseAsymmetricKey(keystore, keylabel) | Set the keystore and label of the public key that is used for asymmetric encryption. If a jwks URI or document is provided, the public key is retrieved from there instead. | string, string |
| encryptUseSymmetricKey(secret, isOidcAes) | Set the secret that is used for symmetric encryption and whether to apply key processing defined by OIDC Core. | string, bool |
| encryptUseCompression() | Compress the payload before encryption operation. | |
| withJwksUri(jwks_uri) | Set jwks URI to retrieve public key for asymmetric encryption operation. | string |
| withJwksString(jwks_string) | Set jwks document to retrieve public key for asymmetric encryption operation. | string |
| setSubject(subject) | Set the sub claim with this subject only if sub claim not yet exists. | string |
| setIssuer(issuer) | Set the iss claim with this issuer only if iss claim not yet exists. | string |
| setAudience(audience) | Set the aud claim with this audience only if aud claim not yet exists. | string or slice |
| setLifetimeInSeconds(lifetime) | When the lifetime is provided, generate the iat and exp claims, if such claims do not yet exist. | integer |
| generateJTI() | Generate jti claim if it does not exist yet. |
1.2. JwtIssuerResult
This class represents the response from JWT issuer.
| Return Type | Method | Description |
|---|---|---|
| Boolean | hasError() | Check whether the processing detected any error. |
| string | getError() | Retrieve the error returned |
| string | getJwt() | Retrieve the jwt issued when the operation is successful |
2. Validating a JWT
To validate a JWT, call this method:
var result = JwtUtility.validateJWT(settings, jwt);
| Name | Data type | Required | Description |
|---|---|---|---|
| settings | JwtValidatorSettings | Yes | Settings used to validate the JWT. |
| jwt | string | Yes | JWT to be validated. |
| result | JwtValidationResult | - | The operation result. |
2.1. JwtValidatorSettings
This class is a settings' builder when a JWT is validated.
The following example shows how to create the JwtValidatorSettings object:
var settings = new JwtValidatorSettings()
.verifyUseAsymmetricKeyStore("rt_signstore", false)
.verifyUseSymmetricKey("secret")
.decryptUseAsymmetricKeyStore("rt_encryptstore")
.decryptUseSymmetricKey("secret", true)
.withJwksUri("https://some.org/jwks");
| Method | Description | Arguments |
|---|---|---|
| verifyAlgorithm(alg) | Set the expected signing algorithm. This method is optional, since this information can be read from alg header. | string. See: Supported Algorithms |
| verifyUseAsymmetricKeyStore(keystore, opSigned) | Set the keystore used for asymmetric signing validation when jwks information does not exist. When opSigned is true, it means that the JWS was signed by this OP, so the public key is extracted from a personal key. | string, Boolean |
| verifyUseAsymmetricKeyLabel(keylabel) | Set the key label used for asymmetric signing validation. This method is optional, since this information can be read from kid header. | string |
| verifyUseSymmetricKey(secret) | Set the secret used for symmetric signing validation. | string |
| decryptAlgorithm(alg, enc) | Set the expected key and content encryption algorithms. This method is optional, since this information can be read from alg and enc header. | string, string. See Supported Algorithms. |
| decryptUseAsymmetricKeyStore(keystore) | Set the keystore used for asymmetric decryption. | string |
| decryptUseAsymmetricKeyLabel(keylabel) | Set the key label used for asymmetric decryption. This method is optional, since this information can be read from kid header. | string |
| decryptUseSymmetricKey(secret, isOidcAes) | Set the secret that is used for symmetric decryption and whether to apply key processing that is defined by OIDC Core applies | string, Boolean |
| withJwksUri(jwks_uri) | Set jwks URI to retrieve public key for asymmetric signing validation. | string |
| withJwksString(jwks_string) | Set jwks document to retrieve public key for asymmetric signing validation. | string |
2.2. JwtValidationResult
This class represents the response from JWT validator and offer methods that can be used to validate claims in the JWT.
| Return Type | Method | Description | Arguments |
|---|---|---|---|
| Boolean | isSigned() | Check whether the JWT was signed. | |
| Boolean | isSignedUsingAlg(allowedAlgs) | Compare the algorithm that is used for signing against allowed algorithms. | string or slice |
| Boolean | isSignedUsingKid(allowedKids) | Compare the key ID that is used for signing against allowed labels. | string or slice |
| JS map | getJWSExtraHeaders() | Return other JWS headers for further validation | |
| Boolean | isEncrypted() | Check whether the JWT was encrypted. | |
| Boolean | isEncryptedUsingAlg(allowedAlgs) | Compare the algorithm that is used for key encryption against allowed algorithms. | string or slice |
| Boolean | isEncryptedUsingEnc(allowedAlgs) | Compare the algorithm that is used for content encryption against allowed algorithms. | string or slice |
| Boolean | isEncryptedUsingKid(allowedKids) | Compare the key ID that is used for encryption against allowed labels. | string or slice |
| JS map | getJWEExtraHeaders() | Return other JWE headers for further validation | |
| Boolean | hasSubject(expectedSubject) | Compare the sub claim with expected subject. | string |
| Boolean | hasIssuer(expectedIssuer) | Compare the iss claim with expected issuer. | string |
| Boolean | hasAudience(expectedAudience) | Compare the aud claim with expected audiences. | string or slice |
| Boolean | hasUniqueJwtID(jwtType) | Check whether the jti claim is unique under certain JWT type. See: Jwt Types | integer |
| Boolean | hasValidExpiry(lifeTimeTolerance, timeSkew, required) | Check validity of the exp claim. The exp claim must be in the future, but cannot be too far in the future. | integer, integer, Boolean |
| Boolean | hasValidIssuedAt(lifeTimeTolerance, timeSkew, required) | Check validity of the iat claim. The iat claim must be in the past, but cannot be too far in the past. | integer, integer, Boolean |
| Boolean | hasValidNotBefore(timeSkew, required) | Check validity of the nbf claim. The nbf claim must be in the past. | integer, Boolean |
| Boolean | hasError() | Check whether the processing detected any error | |
| string | getError() | Retrieve the error returned |
2.3. JWT types
The system currently uses the following Jwt types. For custom type, use value 10 and higher.
| Type | Value |
|---|---|
| Client authentication | 1 |
| JWT bearer token | 2 |
| Request object | 3 |
| JWT access token | 4 |
3. Supported algorithms
| Purpose | Supported Values |
|---|---|
| Signing | ES256, ES384, ES512, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, RS512 |
| Key Encryption | dir, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW, RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW |
| Content Encryption | A128GCM, A192GCM, A256GCM, A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 |
Updated about 2 years ago