Authorization using JWT verification
CRDP supports securing its APIs using JSON Web Tokens (JWTs) issued by trusted identity providers. JWTs allow clients to authenticate and access CRDP resources securely.
To use this feature, JWT verification must be enabled on CipherTrust Manager. Refer to Enable JWT Verification for details.
CRDP supports two types of JWTs:
Regular JWTs
DPoP-bound JWTs (JWTs bound to a client’s key using the DPoP mechanism)
Support for DPoP-bound JWTs will be available in CipherTrust Manager 2.22 and higher versions.
Both formats are validated by CRDP to ensure the authenticity and integrity of the request.
JWT Structure
JWTs are made of three Base64URL-encoded parts:
<header>.<payload>.<signature>
CRDP uses each section to validate the request.
Header
The header defines the algorithm used to sign the JWT and its type.
{
"alg": "RS256",
"typ": "JWT"
}
{
"alg": "RS256",
"typ": "dpop+jwt"
}
Supported Signing Algorithms
CRDP currently supports the following JWT signing algorithms:
RS256 – RSA using SHA-256
RS384 – RSA using SHA-384
RS512 – RSA using SHA-512
ES256 – ECDSA using P-256 curve and SHA-256
ES384 – ECDSA using P-384 curve and SHA-384
ES512 – ECDSA using P-512 curve and SHA-512
PS256 – RSASSA-PSS using SHA-256
PS384 – RSASSA-PSS using SHA-384
PS512 – RSASSA-PSS using SHA-512
Payload
CRDP expects specific claims in the payload to authorize access.
{
"exp": "1234567890",
"iss": "John Doe"
}
{
"exp": "1234567890",
"iss": "John Doe",
"cnf": {
"jkt": "orYt32aTSMKPVSPQKsDSAk4MP_-o7mPmIHn7mzSv3y4"
}
}
| Claims | Description |
|---|---|
| exp | (Required) Identifies the expiration time of the JWT. |
| iss | (Optional) Identifies the principal that issued the JWT. If an issuer is configured for the client on the CipherTrust Manager, CRDP will reject any request where the issuer claim is missing or does not match the configured issuer. |
| cnf | (Required) Confirmation. Claim that contains the confirmation method. Only applicable with DPoP-bound JWTs. |
| jkt | JWK confirmation method. A base64url encoding of the JWK SHA-256 hash of the DPoP public key (in JWK format) to which the access token is bound. |
Note
Access policy will be applied based on the user name specified in the Username location in JWT field when defining application. Refer to JWT Verification Parameters for details.
Signature
The JWT must be signed with the identity provider’s private key using any of the supported algorithm.
CRDP verifies the signature using:
Static public key
JWKS URL
CRDP administrator will provide the Public Key on the CipherTrust Manager (refer to Enable JWT Verification for details) and CRDP will use this key to verify the JWT.
CRDP administrator will provide the JWKS URL on the CipherTrust Manager (refer to Enable JWT Verification for details) and CRDP will fetch the key set using this URL. To find the public key, CRDP will use the key identifier (kid) and verify the JWT using this key.
Note
JWKs URL works on tls and non-tls modes with public trusted CA;however, JWKs URL with custom CA is not supported.
Supported with the CipherTrust Manager 2.18 and higher versions.
