STS Chains

Edit online

Three STS chains are required to achieve conformance. The STS chain JSON is included in the compressed file.

Userinfo as JWT

This is used to generate a userinfo as a signed JWT. This chain is called from the post_token mapping rule.

The appliesto attribute must match urn:appliesTo.

The issuer must match urn:issuer.

The signing algorithm property for the JWT module can be set to RS256.

Request JWT (JWT to STSUU)

This STS chain is used to handle request and request_uri parameters. Parameters can be sent to the /authorize endpoint via a JWT or via a URL that contains the JWT.

This appliesto must match https://localhost/sps/oauth/oauth20.

The issuer must match REGEXP:(urn:ibm:ITFIM:oauth20:client_request:.*).

See Passing parameters through JWT in a request to /authorize.

Client Authentication (JWT to STSUU)

This STS chain is used to handle Client Authentication using a JWT.

The appliesto must match https://localhost/sps/oauth/oauth20.

The issuer must match REGEXP:(urn:ietf:params:oauth:client-assertion-type:jwt-bearer:.*).

See Client authentication to /token through an incoming JSON Web Token.