JSON Web Tokens Support

This works in conjunction with the OpenID Connect 1.0 Support. JSON Web Tokens (or JWTs) also pronounced as "jots" are a compact, URL-safe means of representing claims to be transferred between two parties. Claims are encoded in JSON object format.

Generally, within OpenID Specifications, a JWT is returned from the token endpoint as an id_token.
However, an access_token can also be a JWT in some cases.

What is a JWT?

A JWT is a JSON encoded token which is used to securely transfer information over the web. It could contain any information, however, for the scope of this document, it contains information related to the user using which a client can authenticate the user or act on behalf of the user.

JWT Structure

A JWT generally contains three parts: header, payload and signature.
Normally, the JWT is in this format:

  • The Header contains information related to the JWT itself such as the ID and the Algorithm that is used to sign the JWT.
  • The Payload contains the actual information that is to be transferred between parties. This also contains some information related to JWT such as the issuer, expiry time and issued at time.
  • The Signature is a base64 encoded sha256 hash of the header and the payload.

You can read more about the JWT and its structure here: https://jwt.io/introduction/

How to configure JWT Support?

  • Navigate to the "OAuth Clients" tab and click on "Update" on the client you want to configure the JWT Support for.
  • You will be shown a JWT Support menu like below. It has a toggle to turn the feature on or off.
  • You can also select the algorithm that is used to sign the JWT. By default, the server is configured to use HS256.

    NOTE: If you use any of the RSA based algorithms, you will be required to provide a signing certificate to your client. This will be used to verify the JWT signature.