Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
JWT Access Token Validator validates JWT access tokens using local token inspection.
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage
The JWT Access Token Validator component inherits from the External Access Token Validator
The following components have a direct aggregation relation from JWT Access Token Validators:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ subject-claim-name |
| ↓ enabled | ↓ client-id-claim-name |
| ↓ evaluation-order-index | ↓ scope-claim-name |
| ↓ authorization-server | |
| ↓ signing-certificate | |
| ↓ jwks-endpoint-path | |
| ↓ encryption-key-pair | |
| ↓ clock-skew-grace-period |
| Description | A description for this Access Token Validator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this Access Token Validator is enabled for use in Data Governance Server. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | When multiple JWT Access Token Validators are defined for a single Data Governance Server, this property determines the evaluation order for determining the correct validator class for an access token received by the Data Governance Server. Values of this property must be unique among all JWT Access Token Validators defined within Data Governance Server but not necessarily contiguous. JWT Access Token Validators with a smaller value will be evaluated first to determine if they are able to validate the access token. |
| Default Value | 1000 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the external server that will be used to aid in validating access tokens. In most cases this will be the Authorization Server that minted the token. |
| Default Value | Not specifying an authorization server implies that no external communication is required to validate access tokens. |
| Allowed Values | The DN of any HTTP External Server. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the locally stored certificates that may be used to validate the signature of an incoming JWT access token. If this property is specified, the JWT Access Token Validator will not use a JWKS endpoint to retrieve public keys. |
| Default Value | One of signing-certificate and jwks-endpoint-path must be specified, but not both. |
| Allowed Values | The DN of any Trusted Certificate. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The relative path to JWKS endpoint from which to retrieve one or more public signing keys that may be used to validate the signature of an incoming JWT access token. This path is relative to the base_url property defined for the validator's external authorization server. If jwks-endpoint-path is specified, the JWT Access Token Validator will not consult locally stored certificates for validating token signatures. |
| Default Value | One of signing-certificate and jwks-endpoint-path must be specified, but not both. |
| Allowed Values | An absolute URL, or a relative URL |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The public-private key pair that is used to encrypt the JWT payload. If specified, the JWT Access Token Validator will use the private key to decrypt the JWT payload, and the public key must be exported to the Authorization Server that is issuing access tokens. |
| Default Value | No decryption will be applied. |
| Allowed Values | The DN of any Key Pair. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the amount of clock skew that is tolerated by the JWT Access Token Validator when evaluating whether a token is within its valid time interval. The duration specified by this parameter will be subtracted from the token's not-before (nbf) time and added to the token's expiration (exp) time, if present, to allow for any time difference between the local server's clock and the token issuer's clock. |
| Default Value | 5 s |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
subject-claim-name (Advanced Property)
| Description | The name of the token claim that contains the subject, i.e. the logged-in user in an access token. If the claim specified by this property is present in the access token, then the PingDataGovernance Server will set the HttpRequest.AccessToken.user_token flag to "true" when authorizing HTTP requests and responses with the policy decision point. |
| Default Value | sub |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
client-id-claim-name (Advanced Property)
| Description | The name of the token claim that contains the OAuth2 client Id. |
| Default Value | client_id |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
scope-claim-name (Advanced Property)
| Description | The name of the token claim that contains the scopes granted by the token. |
| Default Value | scope |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Access Token Validators:
dsconfig list-access-token-validators
[--property {propertyName}] ...
To view the configuration for an existing Access Token Validator:
dsconfig get-access-token-validator-prop
--validator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Access Token Validator:
dsconfig set-access-token-validator-prop
--validator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new JWT Access Token Validator:
dsconfig create-access-token-validator
--validator-name {name}
--type {type}
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Access Token Validator:
dsconfig delete-access-token-validator
--validator-name {name}