jwt-generate
Use the Generate JWT security policy in IBM® API Connect to generate a JSON Web Token (JWT).
Gateway support
Gateway | Policy version |
---|---|
DataPower® Gateway (v5 compatible) | 1.0.0 |
DataPower API Gateway | 2.1.0 |
This topic describes how to configure the policy in your OpenAPI source; for details on how to configure the policy in the assembly user interface, see Generate JWT.
Note:
- For algorithm types HS256, HS384, and HS512 the cryptographic objects referenced must be a Shared Secret Key.
- For algorithm types RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512 the cryptographic objects referenced must be a Crypto Key (private key).
- The cryptographic material can be provided through a JSON Web Key (JWK).
- If both a cryptographic object and a JWK are specified, the cryptographic object is used to sign the JWT.
About
The jwt-generate policy has the
following structure:
- jwt-generate:
version: version
title: title
description: description
jwt: json_web_token
jti-claim: jwt_id_claim
iss-claim: issuer_claim
exp-claim: validity_period
sub-claim: subject_claim
aud-claim: audience_claim
jws-jwk: sign_jwk_variable_name
jws-alg: cryptographic_algorithm
jws-crypto: sign_crypto_object
custom-kid-value-jws: jws.kid
jwe-enc: encryption_algorithm
jwe-jwk: encrypt_jwk_variable_name
jwe-alg: key_encryption_algorithm
jwe-crypto: encrypt_crypto_object
custom-kid-value-jwe: jwe.kid
Properties
The following table describes the policy properties:Property | Required | Description | Data type |
---|---|---|---|
version | Yes | The policy version number | string |
title | No | The title of the policy. | string |
description | No | A description of the policy. | string |
jwt | No | Runtime variable in which to place the JWT that is generated. The default value is: |
string |
jti-claim | No | Indicates whether a JWT ID (jti) claim should be added to the JWT. If selected, the property is set to |
boolean |
iss-claim | Yes | Runtime variable from which the Issuer (iss) claim string can be retrieved. This claim represents the Principal that issued the JWT. The default value is: |
string |
sub-claim | No | Runtime variable from which the Subject (sub) claim string can be retrieved. | string |
aud-claim | No | Runtime variable from which the Audience (aud) claim string can be retrieved. Multiple variables are set by using a comma-separated string. | string |
exp-claim | Yes | The length of time (in seconds), that is added to the current date and time, in which the JWT is considered valid. The default value is |
integer |
private-claims | No | Runtime variable from which a valid set of JSON claims can be retrieved. These claims are added to any set of claims specified previously. | string |
jws-jwk | No | Runtime variable that contains the JWK that is used to sign the JWT. A JWK and a Crypto Object are both valid ways of providing the cryptographic data necessary to sign the JWT. However, if both data types are specified, only the Crypto Object is used. | string |
jws-alg | No | The cryptographic algorithm to use. Valid values are:
|
string |
jws-crypto | No | The cryptographic object to use to sign the JWT. A JWK and a Crypto Object are both valid ways of providing the cryptographic data necessary to sign the JWT. However, if both data types are specified, only the Crypto Object is used. | string |
custom-kid-value-jws | No | The customized kid value for JWT signing. |
string |
jwe-enc | No | The encryption algorithm to use. Valid values are:
|
string |
jwe-jwk | No | Runtime variable that contains the JWK to use to encrypt the JWT. | string |
jwe-alg | No | The key encryption algorithm to use. Valid values are:
|
string |
jwe-crypto | No | The cryptographic object to use to encrypt the claim. | string |
custom-kid-value-jwe | No | The customized kid value for JWT encryption. |
string |
Example
The following is an example of a jwt-generate
policy:
- jwt-generate:
version: 2.1.0
title: jwt-generate
description: New jwt-generate v2.1.0 policy.
jwt: generated.jwt
jti-claim: true
iss-claim: iss.claim
sub-claim: sub.claim
aud-claim: aud.claim
exp-claim: 3600
private-claims: private.claims
jws-jwk: jws.jwk
jws-alg: HS256
jws-crypto: jwsCryptoObjectName
custom-kid-value-jws: jws.kid
jwe-enc: A128CBC-HS256
jwe-jwk: jwe.jwk
jwe-alg: RSA1_5
jwe-crypto: jweCryptoObjectName
custom-kid-value-jwe: jwe.kid
For more information about how to use a jwt-generate security policy, see Generate JWT in the built-in policies section.