Configuring authentication with JSON Web Tokens (JWT)

You can configure a WebSphere® Application Server to accept an inbound JSON Web Token (JWT) for authentication by using the same Trust Association Interceptor (TAI) as the OpenID Connect (OIDC) relying party. The OIDC TAI can be configured to locally validate or introspect JWTs.

Before you begin

Determine whether you want the OIDC TAI to locally validate your JWTs or introspect them.

If you want the TAI to locally validate the JWTs and to not act as an OIDC relying party, then follow the steps in this task.

However, if you want to introspect the JWTs or want your TAI to also perform as an OIDC relying party, follow the steps in Configuring an OpenID Connect Relying Party first, then follow this task. After you complete Step 3 of this task, use the following information to determine the value for your provider_<id>.useJwtFromRequest property:
  • If you want your TAI to also perform as an OIDC relying party, set the provider_<id>.useJwtFromRequest property to ifPresent.
  • If you want to introspect your JWTs always, set the provider_<id>.useJwtFromRequest property to no, or do not include the provider_<id>.useJwtFromRequest property in your configuration.

About this task

This task shows how to configure the OIDC TAI to authenticate with a JWT only by using local validation.

Procedure

  1. In the administrative console, click Security > Global security > Web and SIP security > Trust association.
  2. Click Interceptors > New to add an interceptor.
  3. Enter the com.ibm.ws.security.oidc.client.RelyingParty interceptor class name.
  4. Add custom properties for your environment.

    For a list of the properties, see OpenID Connect Relying Party Custom Properties.

    The following properties are required for JWT authentication.
    • provider_<id>.useJwtFromRequest (must be set to required)
    • provider_<id>.identifier
    • provider_<id>.issuerIdentifier
    One of the following properties must be configured to obtain the JWT signer certificate.
    • provider_<id>.jwkEndpointUrl
    • provider_<id>.signVerifyAlias
    One of the following properties must be configured to enable the OIDC TAI to intercept requests.
    • provider_<id>.interceptedPathFilter
    • provider_<id>.excludedPathFilter
    • provider_<id>.filter
    [9.0.5.13 or later]The following properties must be configured when the JWT is encrypted:
    • provider_<id>.keyStore
    • provider_<id>.decryptAlias
    • provider_<id>.decryptKeyPassword

    The following OIDC TAI properties are for use only with JWT authentication. They are optional, but you might want to use them in your configuration.

    • provider_<id>.tokenReuse
    • provider_<id>.audiences
  5. Click Apply and then click Save to save the configuration updates.
    Important: Do not click Save until after you click Apply or the custom properties are discarded.
  6. Add the OpenID Connect Relying Party TAI class to com.ibm.websphere.security.InvokeTAIbeforeSSO.
    1. Click Security > Global security and then click Custom properties.
    2. Check the list for com.ibm.websphere.security.InvokeTAIbeforeSSO.

      If the com.ibm.ws.security.oidc.client.RelyingParty value does not exist, click New, and define the following custom property information:

      • Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
      • Value: com.ibm.ws.security.oidc.client.RelyingParty

      If the com.ibm.websphere.security.InvokeTAIbeforeSSO value exists, add OIDC relying party to the value:

      1. Click com.ibm.websphere.security.InvokeTAIbeforeSSO.
      2. Add a comma to the end of the existing value.
      3. Add com.ibm.ws.security.oidc.client.RelyingParty after the comma.
    3. Click OK.
  7. Configure the trusted realms to include the JWT issuer.
    1. Click Security > Global security.
    2. In the User account repository section, click Configure.
    3. In the Related Items section, click Trusted authentication realms - inbound > Add External Realm.
    4. In the External realm name field, enter the issuer name that is used by the JWT.
    5. Click OK.
  8. Optional: Add the issuer's public key to the truststore.

    You don't need to add the issuer's public key unless you set the signVerifyAlias property to a value.

    1. In the administrative console, click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.

      Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.

    2. Click Add.
    3. Complete the certificate information.

      In the Alias field, type the alias name that you specified for the signVerifyAlias TAI custom property.

    4. Click Apply.
  9. Restart the application server.

Results

The application server can now use inbound JSON Web Tokens for authentication.