JWKS signature verifier settings for authentication flows

With the introduction of OAuth and OpenID Connect, the usage of bearer tokens to transport the authenticity of a user has become quite common also outside the OAuth/OpenID Connect use cases.

To validate such bearer tokens, the relying party must have access to the public keys of the token issuer. To allow for flexible key management by the token issuer, many token issuers will now provide their key material in the form of a JWKS (JSON Web Key Set) that can be downloaded from a specific URL at the token issuer. If the token signature can be validated correctly with one of the keys of the JWKS, the validation of the token is considered successful.

If the token issuer supports a JWKS endpoint, Airlock IAM can be configured to use this during a regular authentication flow or during one-shot authentication.

1. Go to:
   Loginapp >> Applications and Authentication >> Default Application >> Authentication Flow
2. In property Steps, create and edit an SSO Ticket Authentication plugin.
3. In property Ticket Decoder, create and edit JWT Ticket Decoder plugin.
4. In property Signature Verifier, create and edit a JWKS Ticket Verifier Setting plugin.
5. Edit the property JWKS URL string.
6. In property HTTP Client, create and edit an HTTP Client Config plugin. Set plugin values as required.
7. The SSO Ticket Authentication Step will verify the signature on the ticket with keys from the JWKS endpoint configured in the JWKS Ticket Verifier Setting plugin.

• See JWKS signature verifier settings for one-shot authenticator for more information on how to use JWKS during one-shot authentication.
• See SSO ticket authentication in the Loginapp REST API for more information on how to use SSO tickets in authentication flows.
• See Configuration of Airlock IAM as OAuth Client / OIDC Relying Party (RP) for more information on using OIDC discovery to determine the JWKS endpoint of an authorization server in a setup where Airlock IAM is configured as an OIDC client.