JWKS signature verifier settings for authentication flows

With the introduction of OAuth and OpenID Connect, the usage of bearer tokens to transport the authenticity of a user has become quite common also outside the OAuth/OpenID Connect use cases.

To validate such bearer tokens, the relying party must have access to the public keys of the token issuer. To allow for flexible key management by the token issuer, many token issuers will now provide their key material in the form of a JWKS (JSON Web Key Set) that can be downloaded from a specific URL at the token issuer. If the token signature can be validated correctly with one of the keys of the JWKS, the validation of the token is considered successful.

If the token issuer supports a JWKS endpoint, Airlock IAM can be configured to use this during a regular authentication flow or during one-shot authentication.

Configuring JWKS in an authentication flow

  1. Go to:
    Loginapp >> Applications and Authentication >> Default Application >> Authentication Flow
  2. In property Steps, create and edit an SSO Ticket Authentication plugin.
  3. In property Ticket Decoder, create and edit JWT Ticket Decoder plugin.
  4. In property Signature Verifier, create and edit a JWKS Ticket Verifier Setting plugin.
  5. Edit the property JWKS URL string.
  6. In property HTTP Client, create and edit an HTTP Client Config plugin. Set plugin values as required.
  7. The SSO Ticket Authentication Step will verify the signature on the ticket with keys from the JWKS endpoint configured in the JWKS Ticket Verifier Setting plugin.

Further information and links