JWKS signature verifier settings for one-shot authenticator

With the introduction of OAuth and OpenID Connect, the usage of bearer tokens to transport the authenticity of a user has become quite common also outside the OAuth/OpenID Connect use cases.

To validate such bearer tokens, the relying party must have access to the public keys of the token issuer. To allow for flexible key management by the token issuer, many token issuers will now provide their key material in the form of a JWKS (JSON Web Key Set) that can be downloaded from a specific URL at the token issuer. If the token signature can be validated correctly with one of the keys of the JWKS, the validation of the token is considered successful.

If the token issuer supports a JWKS endpoint, Airlock IAM can be configured to use this during a regular authentication flow or during one-shot authentication.

Configuring JWKS for one-shot authentication

  1. Go to:
  2. In property One-Shot Authentication, create and edit a One-Shot Authentication Settings plugin.
  3. In property Default Target Application/Service, create and edit a Target Application/Service plugin.
  4. In property Authenticator, create an SSO Credential Authenticator plugin.
  5. In property Credential Extractor, create and edit an HTTP Header Token Extractor (as SSO Credential) plugin.
  6. Set property Header Name to the header's name containing the JWT, e.g., Authorization.
  7. In property Decoder, create and edit a JWT TIcket Decoder plugin.
  8. Set property Username Ticket Key and any other configuration that applies to the use case.
  9. In property Signature Verifier, create and edit a JWKS Ticket Verifier Settings plugin.
  10. Set property JWKS URL to the JWKS retrieval URL, e.g., https://login.microsoftonline.com/common/discovery/v2.0/keys.
  11. In property HTTP Client, create and configure an HTTP Client Config plugin.
  12. The SSO Credential Authenticator will use the results from the HTTP Header Token Extractor (as SSO Credential) plugin. With successful extraction and signature validation, SSO credential authentication is also successful.