Validating a JWT Access Token is an essential step in the OAuth2 Resource Server authentication and authorization processes. All JWT access tokens must pass the payload requirements, data integrity signature, and (optionally) expiration. If either of these checks fails the client’s HTTP request is rejected.
A JWT's data integrity signature supports multiple types of algorithms. JWT support in PAS for OpenEdge includes HMAC and RSA (public and private) algorithms, as specified in the JSON Web Signature (JWS) standard
Configure the HMAC or RSA type
Choose the JWT signature validation to perform by setting the following property in openedge.properties:
Note: All HSxxx types apply to the HMAC signature algorithm. All RSxxx types apply to the RSA (public and private) signature algorithm.
Configure the HSxxx Signature validation encryption key
The HSxxx encryption key is a single value configured in the oeablSecurity.properties file:
jwtToken.macKey=value
value
A string value, either clear text or encoded text. Encoded text is the output of oe-install-dir/bin/stspwdutil
Note: Since the encryption key is a single value, PAS for OpenEdge supports only one Authorization Server for each OEABL web application configuration.
Configure the RSxxx Signature validation encryption key
Support for accessing the RSA public keys includes:
A Java (.jks) encrypted keystore file containing a digital certificate holding the single RSA public key
A file-system directory holding the single PEM-encoded RSA public key
A JSON Web Key (JWK) set that holds multiple RSA public keys, and I selected by the JWT header's kid claim
Configuring a .jks Java keystore
Set the following properties in the oeablSecurity.properties file:
A string value, either clear text or encoded text. Encoded text is the output of oe-install-dir/bin/stspwdutil
jwtToken.jksKeystore.alias=sample
sample
The name of the keystore entry’s alias name used when you store the JWT rsa signature’s public-key certificate you obtained from the Authorization Server’s operators.
Configuring a PEM encoded RSA public key
All files holding PEM encoded RSA public keys must be in the form file-name.pem. You have to configure the file-system directory path (which acts as a keystore) and the alias name to find the PEM file within the file-system directory:
jwtToken.keystore.type=pem
jwtToken.pemKeyStore=<file-system-path to PEM files>
jwtToken.pemKeystore.alias=<PEM file-name>
The PEM-encoded file may optionally contain the RSA private key.
A sample Pem-encoded file can be found in a PAS for OpenEdge instance's conf/jwtkeys directory.
RSA public/private keys can be generated for testing using the following two command lines:
A JWK set is a JSON structure that holds one or more individual JWK JSON objects. Each JWK object will contain a single RSA public key and be identified by an alias name. When a JWT is received and its header contains a kid claim, the kid value will be used as the alias name used to lookup a JWK object. If a JWT's header does not contain a kid claim, or a JWK cannot be resolved by alias name, the request is rejected.
jwtToken.keystore.type=jwk
jwtToken.jwkKeyStoreURL=URL of where JWK RSA public keys will be loaded from
A Java (.jks) encrypted keystore file containing a digital certificate holding the single RSA public key