GenerateJWTTokenValve
Note
Generates a JSON Web Token, JWT. Typically used in OpenID Connect scenarios.
Properties
| Name | Description | Default value | Mandatory | Supports property expansion |
|---|---|---|---|---|
| subjectattribute | Attribute holding the value put into the sub of the token. | true | true | |
| keystore | ID of the keystore used for signing the token. | true | false | |
| kid | The key ID (kid) value. This value will be added to the jwt header. | false | false | |
| expire_seconds | Number of seconds the jwt token is valid (exp time will be now + this) | 90 | false | false |
| claims | Claims to be included in the token. Array of claim objects, see below for format. (Previously called tokenattributes, name still supported) | false | true | |
| jwt_token_property_name | The token's target property name. | id_token | false | false |
Claim
Which claims to be included in the token are controlled by the claims (or tokenattributes) configuration property containing an array of claim objects. A claim object has a name (name of claim), a value (value of claim, supports property expansion) and a type (claim value target type).
Claim value must be expanded to a string but may contain any string encoded json. When value is added to the claim it is converted to the configured type.
Supported types:
- string (default)
- object
- array
- number (double value)
- integer/int
- boolean/bool
- null
Example claim - array of strings:
{
"name": "roles"
"value": "[\"admin\",\"manager\",\"user\"]",
"type": "array"
}
Example claim - objects:
{
"name": "keys"
"value": "{
\"key_1\": \"value_1\",
\"key_2\": \"value_2\",
\"key_3\": \"value_3\",
}",
"type": "object"
}
Example Configuration
{
"name": "GenerateJWTTokenVavle",
"enabled": "true",
"config": {
"subjectattribute" : "{{session.user_id}}",
"keystore" : "d2c3094d-f538-4abc-9211-cd26c46606d3",
"expire_seconds" : "600",
"jwt_token_property_name": "id_token",
"tokenattributes":[{
"name":"displayName",
"value":"{{item.displayName}}"
}],
}
}
General information
Token TTL is 90 seconds by default.
Attributes always added to the payload are:
- sub - the user identifier
- iat - Issued at
- nbf - Not before
- exp - Expiration
- jti - Token identifier
Sign algo is RS256.
Dates are formatted according to:
Value representing the number of seconds from 1970-01-01T00:00:00Z UTC
until the specified UTC date/time, ignoring leap seconds.
NOTE:
A previously misspelled Valve GenerateJWTTokenVavle, with identical functionality, still exists in the product due to backwards compatibility