Enabling JWT Authentication
JSON Web Tokens (JWT) Authentication is a mechanism to verify the owner of JSON data. It is an encoded, URL- safe string that can contain unlimited data and is cryptographically signed. This mechanism securely transfers the data between the parties as a JSON object. This information is digitally signed and can be verified and trusted.
JWT - MS signature verifies the token signed by the sender and not altered in any way. The signature is created using the Header and Payload segments, a signing algorithm, and a secret or public key.
Configuration Setup
JWT signature is used to verify that the token is signed by the sender and not altered in any way. The signature is created using the header and payload segments, a signing algorithm, and a secret or public key.
To enable JWT Authentication, ms.security.tokencheck.enabled must be set as Y.
In addition, the following properties must be set as environment variables.
|
JWT Configuration Properties |
Description |
|---|---|
| JWT_TOKEN_ISSUER | Identifies the issuer of the authentication token. |
| JWT_TOKEN_PUBLIC_KEY | Indicates Base64 encoded public key content that can be directly loaded as a public key certificate. |
| JWT_TOKEN_PRINCIPAL_CLAIM | Indicates the claim in which the user principal is provided. |
| ID_TOKEN_SIGNED | Enables the JWT signature validation along with the header and payload |
| JWT_TOKEN_CUSTOM_CLAIMS | Indicates the custom claims to be passed to the authentication |
Set the JWT configuration properties as environment variables in install scripts for Azure and AWS.
JWT Authentication is disabled in AWS and Azure stacks, by default and can be enabled as required.
Deployment
Following are the JWT configurations for the following stacks:
Azure
To deploy Azure, set the following JWT configuration properties in install-mongo.bat / install-mongo.sh / install-postgresql.bat / install-postgresql.sh.
install-mongo.bat/install-mongo.sh/install-postgresql.bat/install-postgresql.sh
ms_security_tokencheck_enabled="Y" JWT_TOKEN_PRINCIPAL_CLAIM="FABRICUSER" JWT_TOKEN_ISSUER="Fabric" ID_TOKEN_SIGNED="false" JWT_TOKEN_PUBLIC_KEY="TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI"
AWS
To deploy AWS, set the following JWT configuration properties in install-aws-dynamo.sh / install-aws-postgresql.sh.
install-aws-dynamo.sh/install-aws-postgresql.sh
ms_security_tokencheck_enabled="Y" JWT_TOKEN_PRINCIPAL_CLAIM="FABRICUSER" JWT_TOKEN_ISSUER="Fabric" ID_TOKEN_SIGNED="false" JWT_TOKEN_PUBLIC_KEY="TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI"
K8
To deploy K8, set the following JWT configuration properties in holdings-api-configmap.yml
holdings-api-configmap.yml
ms_security_tokencheck_enabled:"Y" JWT_TOKEN_PRINCIPAL_CLAIM:"FABRICUSER" JWT_TOKEN_ISSUER:"Fabric" ID_TOKEN_SIGNED:"false" JWT_TOKEN_PUBLIC_KEY:"TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI"
Apart from the earlier properties, you can set the custom claims as JWT_TOKEN_CUSTOM_CLAIMS : key1:val1,key2:val2.
In this topic