Enabling Authentication using JWT-MS
JWT signature allows to verify that the token is signed by the sender and not altered in any way. The signature is created using the Header and Payload segments, a signing algorithm, and a secret or public key.
To enable JWT Authentication, you should set ms.security.tokencheck.enabled to Y. The following table describes the JWT authentication properties.
| Properties | Description |
|---|---|
|
JWT_TOKEN_ISSUER |
Identifies the issuer of the authentication token. |
|
JWT_TOKEN_PUBLIC_KEY |
Indicates Base64 encoded public key content that can be directly loaded as a public key certificate. |
|
JWT_TOKEN_PRINCIPAL_CLAIM |
Indicates the claim in which the user principal is provided. |
|
ID_TOKEN_SIGNED |
Enables the JWT signature validation along with the header and payload. |
|
JWT_TOKEN_CUSTOM_CLAIMS |
Indicates the custom claims to be passed to the authentication |
Deployment
This section explains you about how to deploy the WAR file for the following stacks:
Docker
For Docker deployment, set the following mentioned JWT Authentication & XACML Authorization configuration properties as Environment Variables in the API container of both holdingsMongo.yml/holdingsPostgresql.yml as required.
ms.security.tokencheck.enabled: Y JWT_TOKEN_PRINCIPAL_CLAIM: FABRICUSER JWT_TOKEN_ISSUER: Fabric ID_TOKEN_SIGNED: "false" JWT_TOKEN_PUBLIC_KEY: "TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI"
AWS
For AWS deployment, set the following mentioned JWT Authentication & XACML Authorization properties as Environment Variables in the install-aws-dynamo.sh/install-aws-postgresql.sh as required.
ms_security_tokencheck_enabled="Y" JWT_TOKEN_PRINCIPAL_CLAIM="FABRICUSER" JWT_TOKEN_ISSUER="Fabric" ID_TOKEN_SIGNED="false" JWT_TOKEN_PUBLIC_KEY="TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI"
Azure
For Azure deployment, set the following mentioned JWT Authentication & XACML Authorization properties as Environment Variables in the install-mongo.bat/install-mongo.sh/install-postgresql.bat/install-postgresql.sh as required
ms_security_tokencheck_enabled="Y" JWT_TOKEN_PRINCIPAL_CLAIM="FABRICUSER" JWT_TOKEN_ISSUER="Fabric" ID_TOKEN_SIGNED="false" JWT_TOKEN_PUBLIC_KEY="TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI"
K8
For K8 deployment, set the following mentioned JWT Authentication and XACML Authorization properties as Environment Variables in the API container of holdings-api-configmap.yaml
ms_security_tokencheck_enabled:"Y" JWT_TOKEN_PRINCIPAL_CLAIM:"FABRICUSER" JWT_TOKEN_ISSUER:"Fabric" ID_TOKEN_SIGNED:"false" JWT_TOKEN_PUBLIC_KEY:"TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI"
Custom Claims
Apart from the above properties, one can set custom claims as: JWT_TOKEN_CUSTOM_CLAIMS : key1:val1,key2:val2
In this topic