Enabling JWT-based access tokens

Preface


Authlete has a feature that can issue JWT-formatted access tokens. In order to enable it, you have to register a signing key and specify a signing algorithm. This article describes instructions.




Service settings


Register a JWK set document to "JWK Set Content" section in Service Settings. See the following article for instructions. 


After the registration, choose an appropriate "Access Token Signature Algorithm" in the same "Token" tab. For example, you would choose "ES256" if you have registered an ES256 signing key (shown in the article above).

Access Token Signature Algorithm


After the change, access tokens to be issued by Authlete are JWT-formatted. 

Example


The following is an execution example of /auth/token API. You will see values in "jwtAccessToken" and "access_token" in "responseContent" (content of token response) are formatted as JWS signed JWT.

$ curl -s -X POST $AUTHLETE_API/auth/token
 -u $AUTHLETE_KEY:$AUTHLETE_SECRET
 -H 'Content-Type: application/json'
 -d '{"clientId":"249890170368",
  "clientSecret":"pKCYiH3yxWcAkB4IbjoND1jTtbKztMYBt1Cfz8FJVe5mBWbw_5y6W_MHOaItV4
   dYFeQC4ZukjLRJ8yDlMYbWRg",
  "parameters": "grant_type=authorization_code&
    redirect_uri=https://client.example.org/cb/example.com&
    code=azZN1d9d4kttnujX_BhA-rWw2jZ8E0L5t3WQ2cailLc"}' | jq
{
  "type": "tokenResponse",
  "resultCode": "A050001",
  "resultMessage": "[A050001] The token request
   (grant_type=authorization_code) was processed successfully.",
  "accessToken": "oy1Tv4dqMYh9kbpnBBbRWET8Bqq_bfdylkb1O2A8-tI",
  "accessTokenDuration": 86400,
  "accessTokenExpiresAt": 1576574171669,
  "action": "OK",
  "clientId": 249890170368,
  "clientIdAliasUsed": false,
  "grantType": "AUTHORIZATION_CODE",
  "idToken": "eyJraWQiOiIxIiwiYWxnIjoiRVMyNTYifQ.
   eyJzdWIiOiJ0ZXN0dXNlcjAxIiwiYXVkIjpbIjI0OTg5MDE3MDM2OCJdLCJpc3MiOiJodHRwczovL
   2FzLmV4YW1wbGUuY29tIiwiZXhwIjoxNTc2NTc0MTcxLCJpYXQiOjE1NzY0ODc3NzEsIm5vbmNlIj
   oibi0wUzZfV3pBMk1qIn0.rWDeuYqr4KxKcwt658tnebFTLxNy_3wUuDQbCU22bHy9GSfEgdy4vsX
   RSNkWcgYOqaC7fffdQUcaeMl14ucm8A",
  "jwtAccessToken": "eyJraWQiOiIxIiwiYWxnIjoiRVMyNTYifQ.
   eyJzdWIiOiJ0ZXN0dXNlcjAxIiwic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwczovL2FzLmV4Y
   W1wbGUuY29tIiwiZXhwIjoxNTc2NTc0MTcxLCJpYXQiOjE1NzY0ODc3NzEsImNsaWVudF9pZCI6Ij
   I0OTg5MDE3MDM2OCIsImp0aSI6Im95MVR2NGRxTVloOWticG5CQmJSV0VUOEJxcV9iZmR5bGtiMU8
   yQTgtdEkifQ.
   KhWMqnVLgIjGEsSKPPkSRt6oEtIsv0EEAyYEO87ycstDPH4A9oOH7Hf68R-NwwnEgDA8bK8YKu1YP
   PxtMciX9A",
  "refreshToken": "t_5SCgAFKqR4YTLMvGqw90q180Y3Tldn3oDyYry9E90",
  "refreshTokenDuration": 864000,
  "refreshTokenExpiresAt": 1577351771669,
  "responseContent": "{\"access_token\":\"eyJraWQiOiIxIiwiYWxnIjoiRVMyNTYifQ.
   eyJzdWIiOiJ0ZXN0dXNlcjAxIiwic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwczovL2FzLmV4Y
   W1wbGUuY29tIiwiZXhwIjoxNTc2NTc0MTcxLCJpYXQiOjE1NzY0ODc3NzEsImNsaWVudF9pZCI6Ij
   I0OTg5MDE3MDM2OCIsImp0aSI6Im95MVR2NGRxTVloOWticG5CQmJSV0VUOEJxcV9iZmR5bGtiMU8
   yQTgtdEkifQ.
   KhWMqnVLgIjGEsSKPPkSRt6oEtIsv0EEAyYEO87ycstDPH4A9oOH7Hf68R-NwwnEgDA8bK8YKu1YP
   PxtMciX9A\",
   \"refresh_token\":\"t_5SCgAFKqR4YTLMvGqw90q180Y3Tldn3oDyYry9E90\",
   \"scope\":\"openid\",
   \"id_token\":\"eyJraWQiOiIxIiwiYWxnIjoiRVMyNTYifQ.
   eyJzdWIiOiJ0ZXN0dXNlcjAxIiwiYXVkIjpbIjI0OTg5MDE3MDM2OCJdLCJpc3MiOiJodHRwczovL
   2FzLmV4YW1wbGUuY29tIiwiZXhwIjoxNTc2NTc0MTcxLCJpYXQiOjE1NzY0ODc3NzEsIm5vbmNlIj
   oibi0wUzZfV3pBMk1qIn0.rWDeuYqr4KxKcwt658tnebFTLxNy_3wUuDQbCU22bHy9GSfEgdy4vsX
   RSNkWcgYOqaC7fffdQUcaeMl14ucm8A\",
   \"token_type\":\"Bearer\",
   \"expires_in\":86400}",
  "scopes": [
    "openid"
  ],
  "subject": "testuser01"
}


See also


How did we do with this article?