Validating a JWT access token is an essential step in the OAuth2 resource server authentication and authorization processes. All JWT access tokens must pass the payload requirements, data integrity signature, and (optionally) expiration. If any of these checks fails, then the client’s HTTP request is rejected.

A JWT's data integrity signature supports multiple types of algorithms. JWT support in PAS for OpenEdge includes HMAC and RSA (public and private) algorithms, as specified in the JSON Web Signature (JWS) standard.

Configure the HMAC or RSA type

Choose the JWT signature validation to be performed by setting the following property in the oeablSecurity.properties file: 
jwtToken.signatureAlg={ HS256 | HS384 | HS512 | RS256 | RS384 | RS512 }
Note: All HSxxx types apply to the HMAC signature algorithm. All RSxxx types apply to the RSA (public and private) signature algorithm.

Configure the HSxxx signature validation encryption key

The HSxxx encryption key is a single value configured in the oeablSecurity.properties file:

jwtToken.macKey=value
value
A string value, either clear text or encoded text. Encoded text is the output of oe-install-dir/bin/stspwdutil
Note: Because the encryption key is a single value, PAS for OpenEdge supports only one authorization server for each OEABL web application configuration.

Configure the RSxxx signature validation encryption key

Support for accessing the RSA public keys includes:

  • A Java (.jks) encrypted keystore file containing a digital certificate holding the single RSA public key
  • A file system directory holding the single PEM-encoded RSA public key
  • A JSON Web Key (JWK) set that holds multiple RSA public keys, and is selected by the JWT header's kid claim

Configuring a .jks Java keystore

Set the following properties in the oeablSecurity.properties file:

jwtToken.keystore.type=mac
jwtToken.keystore.path=path-to-jks-keystore
Note: The keystore is maintained by using the Java keytool utility. See Oracle documentation for more information.
jwtToken.keystore.pwd=value
value
A string value, either clear text or encoded text. Encoded text is the output of oe-install-dir/bin/stspwdutil
jwtToken.keystore.alias=sample
sample

The name of the keystore entry’s alias used when you store the JWT RSA signature’s public-key certificate that you obtained from the authorization server’s operators.

Configuring a PEM encoded RSA public key

All files holding PEM encoded RSA public keys must be in the form file-name.pem. You must configure the file system directory path (which acts as a keystore) and the alias for finding the PEM file within the file system directory:

jwtToken.keystore.type=pem
jwtToken.keystore.path=<file-system-path to PEM files>
jwtToken.keystore.alias=<PEM file-name>
Note:
  • The PEM-encoded file may optionally contain the RSA private key.
  • A sample PEM-encoded file can be found in a PAS for OpenEdge instance's conf/jwtkeys directory.
RSA public/private key pairs can be generated for testing by using the following two command lines:
oe-install-dir/bin/sslc genpkey x-out filename.prv.pem -outform PEM -algorithm RSApkeyopt rsa_keygein_bits:key-bit-size

oe-install-dir/bin/sslc rsa -pubout -in filename.prv.pem -out filename.pub.pem

Configure JWK set holding RSA public keys

A JWK set is a JSON structure that holds one or more individual JWK JSON objects. Each JWK object contains a single RSA public key and can be identified by an alias. When a JWT is received and its header contains a kid claim, the kid value is used as the alias that is used to look up a JWK object. If a JWT's header does not contain a kid claim, or a JWK cannot be resolved by alias, the request is rejected.

jwtToken.keystore.type=jwk
jwtToken.keystore.jwkurl=URL of where JWK RSA public keys will be loaded from