JWT support
IBM® Verify Identity Access supports JWT by using STS to expose a JWT module.
This module can be run in the following two modes:
- Validate
- Consume a JWT.
- Issue
- Create a JWT.
Both modes support signing, encryption, and some basic validation or population of claims.
Verify Identity Access supports consuming a nested JWT using the header claim
“cty”:”JWT”. However, this support applies only when the JWT is both signed and
encrypted, per RFC 7519 section 11.2.
The JWT module supports the following JSON Web Algorithms.
| Algorithm | Uses symmetric key | Uses certificates | Required key size | Suggested key size |
|---|---|---|---|---|
| HS256 | Yes | No | 256 bits | |
| RS256 | No | Yes | At least 2048 bits | |
| ES256 | No | Yes | 256 bits | |
| HS384 | Yes | No | 384 bits | |
| RS384 | No | Yes | At least 2048 bits | |
| ES384 | No | Yes | 384 bits | |
| HS512 | Yes | No | 512 bits | |
| RS512 | No | Yes | At least 2048 bits | |
| ES512 | No | Yes | 512 bits | |
| PS256 | No | Yes | 2048 bits | |
| PS384 | No | Yes | 2048 bits | |
| PS512 | No | Yes | 2048 bits |
Note: A required key size indicates that an error occurs if this value is not
supplied. A suggested key size indicates the minimum value to achieve a reasonable level of
security.
| Algorithm | Uses symmetric key | Uses certificates | Required key size |
|---|---|---|---|
| RSA-OAEP | No | Yes | At least 2048 bits |
| RSA-OAEP-256 | No | Yes | At least 2048 bits |
| A128KW | Yes | No | 128 bits |
| A192KW | Yes | No | 192 bits |
| A256KW | Yes | No | 256 bits |
| A128GCMKW | Yes | No | 128 bits |
| A192GCMKW | Yes | No | 192 bits |
| A256GCMKW | Yes | No | 256 bits |
| dir | Yes | No | The key size that is required by the encryption algorithm (one of 128, 192, or 256 bits) |
| ECDH-ES | No | Yes | |
| ECDH-ES+A128KW | No | Yes | |
| ECDH-ES+A192KW | No | Yes | |
| ECDH-ES+A256KW | No | Yes |
Note: A required key size indicates that an error occurs if this value is not
supplied.
| Algorithm | Uses symmetric key | Required key size |
|---|---|---|
| A128GCM | Yes | 128 bits |
| A192GCM | Yes | 192 bits |
| A256GCM | Yes | 256 bits |
| A128-CBC-HS256 | Yes | 256 bits |
| A192-CBC-HS384 | Yes | 384 bits |
| A256CBC-HS512 | Yes | 512 bits |
Note:
- A required key size indicates that an error occurs if this value is not supplied.
- The Content Encryption Key (CEK) is generated in most cases. When the encryption key algorithm is "dir", you must know the required key size of the CEK. Because the mode "dir" uses the provided key as the CEK.
The size of each character in the "symmetricKey" field is 8 bits. For a 128-bit key, you need to provide a 16 character key.
The previously listed algorithms are from the JWA RFC(7518) https://tools.ietf.org/html/rfc7518.