Validate mode
In validate mode, the JWT Module consumes a binary security token, which has the
attribute type “urn:com:ibm:JWT”.
When the module consumes a JWT, the following operations are performed:
- The keys are resolved.
- The JWT is decrypted if it was encrypted.
- The JWT signature is verified if it was signed. If the JWT was encrypted, this step is performed on the payload of the decrypted JWT.
- The claims are validated.
- The STSUU is populated.
If the JWT is successfully decrypted and validated, then the STSUU attributes will
contain the claims and context attributes. The claims will have the attribute type
urn:com:ibm:JWT:claim. The context attributes will have one of the
following values:
urn:com:ibm:JWT:headerurn:com:ibm:JWT:outer_headerurn:com:ibm:JWT:signature
The following table shows the configuration properties.
| Configuration property | Description | Can be provided via WS-Trust claims |
|---|---|---|
| signing.alg | The algorithm with which the JWT is signed. | FALSE |
| signing.symmetricKey | The symmetric key that is used to perform signature validation. | TRUE |
| signing.db | The keystore from which the certificate is sourced. | TRUE |
| signing.cert | The certificate label from which the public keys are sourced. | TRUE |
| signing.jwksUri | The JWKS URI from which the public key is retrieved. | TRUE |
| encryption.alg | The algorithm that is used by the JWT for key management. | FALSE |
| encryption.enc | The algorithm that is used by the JWT for content encryption. | FALSE |
| encryption.symmetricKey | The symmetric key that is used for key management. | TRUE |
| encryption.db | The keystore from which the private key is sourced. | TRUE |
| encryption.cert | The label of the certificate that contains the private key to use for decrypting the encryption key. | TRUE |
| iss | The Java regular expression that matches the iss(issuer) claim. This value is optional. |
FALSE |
| aud | The Java regular expression that matches the aud(audience) claim. This value is optional. |
FALSE |
| sub | The Java regular expression that matches the sub(subject) claim. This value is optional. |
FALSE |
| validateExp | Whether the exp claim in the JWT is checked. This check requires
that the exp(expiration time) claim be set to a time in the future. |
FALSE |
| validateNbf | Whether the nbf(not before) claim in the JWT is checked. This check requires that the nbf claim be set to a time in the past. |
FALSE |
| validateSkew | The skew to offset time checks with. | FALSE |
When the module runs in validate mode, it converts the JWT into a populated STSUU. The following examples show some sample input JWT and the corresponding output STSUU.
Input example
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:rst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<SOAP-ENV:Body>
<!-- <rst:RequestSecurityTokenCollection>-->
<rst:RequestSecurityToken>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>validate</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Issuer>
<wsa:Address>validate</wsa:Address>
</wst:Issuer>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02
/trust/Validate</wst:RequestType>
<wst:Claims><signing.alg>HS256</signing.alg><signing.
symmetricKey>superSecret</signing.symmetricKey></wst:Claims>
<wst:Base>
<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org
/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:
EncodingType="http://ibm.com/2004/01/itfim/base64encode" wss:
ValueType="urn:com:ibm:JWT">eyJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoi
am9obiIsInRpdGxlIjoiTXIiLCJleHAiOjE0NjA0MzkxNzN9.BNkZM38PygNYb
PzGSsd1Za8HmgUkn0aT0ImaJmBmKtU</wss:BinarySecurityToken>
</wst:Base>
</rst:RequestSecurityToken>
<!--</rst:RequestSecurityTokenCollection>-->
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>Output example
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/>
<soap:Body>
<wst:RequestSecurityTokenResponseCollection xmlns:wst="http://
docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestSecurityTokenResponse xmlns:wsu="http://docs.oasis-open.org
/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid8f53fcc-0154-10f4-bfcd-ebb7b0604011">
<wsp:AppliesTo xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:
wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference>
<wsa:Address>validate</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:RequestedSecurityToken>
<stsuuser:STSUniversalUser xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser">
<stsuuser:Principal/>
<stsuuser:AttributeList>
<stsuuser:Attribute name="title" type="urn:com:ibm:JWT:claim">
<stsuuser:Value>Mr</stsuuser:Value>
</stsuuser:Attribute>
<stsuuser:Attribute name="exp" type="urn:com:ibm:JWT:claim">
<stsuuser:Value>1460439173</stsuuser:Value>
</stsuuser:Attribute>
<stsuuser:Attribute name="name" type="urn:com:ibm:JWT:claim">
<stsuuser:Value>john</stsuuser:Value>
</stsuuser:Attribute>
</stsuuser:AttributeList>
<stsuuser:RequestSecurityToken/>
<stsuuser:ContextAttributes>
<stsuuser:Attribute name="header" type="urn:com:ibm:JWT">
<stsuuser:Value>{"alg":"HS256"}</stsuuser:Value>
</stsuuser:Attribute>
<stsuuser:Attribute name="signature" type="urn:com:ibm:JWT">
<stsuuser:Value>BNkZM38PygNYbPzGSsd1Za8HmgUkn0aT0ImaJmBmKtU
</stsuuser:Value>
</stsuuser:Attribute>
</stsuuser:ContextAttributes>
<stsuuser:AdditionalAttributeStatement/>
</stsuuser:STSUniversalUser>
</wst:RequestedSecurityToken>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate
</wst:RequestType>
<wst:Status>
<wst:Code>http://docs.oasis-open.org/ws-sx/ws-trust/200512/status
/valid</wst:Code>
</wst:Status>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
</soap:Body>
</soap:Envelope>