Ping Identity Data Governance Broker - JWT Access Token Provider

Data Governance Broker Documentation Index
Configuration Reference Home

JWT Access Token Provider

Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.

Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.

The JWT Access Token Provider uses signed JWTs (RFC 7519) to represent an access token such that all identity and authorization are self-contained as claims.

This may be useful for avoiding the network overhead of calling the token introspection endpoint since resource servers may check the signature and claims of the JWT itself.

↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage

Parent Component

The JWT Access Token Provider component inherits from the Access Token Provider

Relations from This Component

The following components have a direct aggregation relation from JWT Access Token Providers:

Key Pair

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ description	None
↓ access-token-signing-key-pair
↓ access-token-signing-algorithm

Basic Properties

description

Description	A description for this Access Token Provider
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

access-token-signing-key-pair

Description	The key pair to use to sign the JWTs used for access tokens. The signing key pair will be identified using the "kid" claim in the JWT header and will be used to look up the key during validation. An access token will be considered valid as long as the key pair that was used to sign it is still defined.
Default Value	None
Allowed Values	The DN of any Key Pair.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

access-token-signing-algorithm

Description	The algorithm to use when signing access tokens.
Default Value	RS512
Allowed Values	RS256 - RSASSA-PKCS1-v1_1 using SHA-256. RS384 - RSASSA-PKCS1-v1_1 using SHA-384. RS512 - RSASSA-PKCS1-v1_1 using SHA-512.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Access Token Providers:

dsconfig list-access-token-providers
     [--property {propertyName}] ...

To view the configuration for an existing Access Token Provider:

dsconfig get-access-token-provider-prop
     --provider-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Access Token Provider:

dsconfig set-access-token-provider-prop
     --provider-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new JWT Access Token Provider:

dsconfig create-access-token-provider
     --provider-name {name}
     --type jwt
     --set access-token-signing-key-pair:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Access Token Provider:

dsconfig delete-access-token-provider
     --provider-name {name}