Enabling JWT-based access tokens
Preface
Authlete has a feature that can issue JWT-formatted access tokens. In order to enable it, you have to register a signing key and specify a signing algorithm. This article describes instructions.
Service settings
Register a JWK set document to "JWK Set Content" section in Service Settings. See the following article for instructions.
After the registration, choose an appropriate "Access Token Signature Algorithm" in the same "Token" tab. For example, you would choose "ES256" if you have registered an ES256 signing key (shown in the article above).
After the change, access tokens to be issued by Authlete are JWT-formatted.
Embedding additional properties into access tokens
You can embed arbitrary key-value pairs into access tokens, using Authlete's “Extra Properties” feature. Visible (= not-hidden) extra properties are included in the JWT-formatted access tokens as custom claims so that resource servers can extract them.
Example
The following is an execution example of /auth/token API of the Authlete service configured to issue JWT-formatted access tokens. This example also shows output when using extra properties.
You will see a JWS signed JWT as a value of "access_token" in "responseContent" (content of token response). The same value is also provided as "jwtAccessToken". (folded for readability)
$ curl -s -X POST https://api.authlete.com/api/auth/token \
-u ...:... \
-H 'Content-Type: application/json' \
-d '{"clientId":"...","clientSecret":"...",
"parameters":"grant_type=authorization_code&
redirect_uri=https://client.example.org/cb/example.com&
code=..."}]}'|jq
{
"type": "tokenResponse",
"resultCode": "A050001",
"resultMessage": "[A050001] The token request
(grant_type=authorization_code) was processed successfully.",
"accessToken": "xx2...AFQ",
"accessTokenDuration": 86400,
"accessTokenExpiresAt": 1591690046802,
"action": "OK",
"clientId": 17201083166161,
"clientIdAliasUsed": false,
"grantType": "AUTHORIZATION_CODE",
"jwtAccessToken": "eyJraWQiOiIxIiwiYWxnIjoiRVMyNTYifQ.
eyJleGFtcGxlX3BhcmFtZXRlciI6ImV4YW1wbGVfdmFsdWUiLCJz
dWIiOiJ0ZXN0dXNlcjAxIiwic2NvcGUiOm51bGwsImlzcyI6Imh0
dHBzOi8vYXV0aGxldGUuY29tIiwiZXhwIjoxNTkxNjkwMDQ2LCJp
YXQiOjE1OTE2MDM2NDYsImNsaWVudF9pZCI6IjE3MjAxMDgzMTY2
MTYxIiwianRpIjoieHgycnNJODBER1Z4bHFLdTFQV2R4eWJSLTdB
eTZWamJNcTAxY3dNYkFGUSJ9.
-9RsKUSnJHmdqNtNpWbbbTah1YxTkicsabIgxrLWHtGiLsTIaEj_
q39AvKYWrmfnw5y0dfaD3qtTScxI94OSIg",
"properties": [
{
"hidden": false,
"key": "example_parameter",
"value": "example_value"
}
],
"refreshToken": "4rA7H1uRZkCQ7Yd0PN98h7IUqW7zT8p1a_BAg0jEyow",
"refreshTokenDuration": 864000,
"refreshTokenExpiresAt": 1592467646802,
"responseContent": "{\"access_token\":
\"eyJraWQiOiIxIiwiYWxnIjoiRVMyNTYifQ.
eyJleGFtcGxlX3BhcmFtZXRlciI6ImV4YW1wbGVfdmFsdWUiLCJz
dWIiOiJ0ZXN0dXNlcjAxIiwic2NvcGUiOm51bGwsImlzcyI6Imh0
dHBzOi8vYXV0aGxldGUuY29tIiwiZXhwIjoxNTkxNjkwMDQ2LCJp
YXQiOjE1OTE2MDM2NDYsImNsaWVudF9pZCI6IjE3MjAxMDgzMTY2
MTYxIiwianRpIjoieHgycnNJODBER1Z4bHFLdTFQV2R4eWJSLTdB
eTZWamJNcTAxY3dNYkFGUSJ9.
-9RsKUSnJHmdqNtNpWbbbTah1YxTkicsabIgxrLWHtGiLsTIaEj_
q39AvKYWrmfnw5y0dfaD3qtTScxI94OSIg\",
\"refresh_token\":\"4rA7H1uRZkCQ7Yd0PN98h7IUqW7zT8p1a_BAg0jEyow\",
\"example_parameter\":\"example_value\",
\"scope\":null,
\"token_type\":\"Bearer\",
\"expires_in\":86400}",
"subject": "testuser01"
}Header and payload of the JWT access token are as follows. The latter includes the extra properties ("example_parameter":"example_value").
- Header
{
"kid": "1",
"alg": "ES256"
}- Payload
{
"example_parameter": "example_value",
"sub": "testuser01",
"scope": null,
"iss": "https://authlete.com",
"exp": 1591690046,
"iat": 1591603646,
"client_id": "17201083166161",
"jti": "xx2rsI80DGVxlqKu1PWdxybR-7Ay6VjbMq01cwMbAFQ"
}See also
How did we do with this article?