Please Note:

Administration
CRDP Workflow
Quick Start
Alternative Deployment Methods
- Deploy CRDP in Kubernetes Environment (without Helm Chart)
- Deploy CRDP as a Standalone Container
Advanced Topics
- Concepts
- Environment Variables
- CRDP Logging
- Authorization using JWT Verification
- Performance Metrics
- JWKS URL
- Behavior on Container Shutdown
- Upgrade CRDP
Tasks
- Perform operations using APIs
- Change key manager
- Change application
- Configure User for Access Policy
- Deploy CRDP on custom port
- Change TLS settings between application and CRDP
- Manually renew client certificate
- View logs in Kubernetes environment
- Monitoring CRDP health
- Configure CRDP with identity providers
  - Configure AWS as IdP
  - Configure Azure AD as IdP
  - Configure GCP as IdP
Examples
- Protect data
- Reveal data
- Bulk protect
- Bulk reveal
Troubleshooting

CRDP
Administration
Advanced Topics
Authorization using JWT Verification

Authorization using JWT Verification

CRDP provides JWT verification feature to authorized users who want to access the CRDP resources (APIs). To use this feature, JWT verification must be enabled. Refer to Enable JWT Verification for details.

Whenever users want to access the CRDP resources (APIs), a JWT should be sent in the Authorization Header using the Bearer schema. CRDP will check the valid JWT in the Authorization Header. If a valid JWT is present, user will be allowed to access the CRDP resources (APIs).

The JWT structure for any incoming request to CRDP should include the following parts:

Header
- type: Specifies the token type supported by CRDP. CRDP supports only Bearer Token.
- algorithm: Specifies the signing algorithm supported by CRDP. CRDP supports only RS256.
Payload
The payload contains claims. The supported registered claims are: iss (issuer) and exp (expiry).
- Issuer: This claim is optional. It identifies the principal that issued the JWT. Validate the iss claim from the JWT with the Issuer field provided in the application configuration.
  Note
  If value is set in the Issuer field while configuring an application on the CipherTrust Manager, the payload must contain the iss (issuer) with the same value as set on the CipherTrust Manager. For example, if value in the Issuer field on the CipherTrust Manager is https://example.com, the payload must contain the same value as shown below:
```
"iss": "https://example.com"
```
- Expiry: This claim is mandatory. It identifies the expiration time of the JWT.
Signature
This part of the JWT structure verifies the signature.

CRDP allows JWT verification using the Public Key and JWKS URL. Click the desired tab for details.

Public Key

CRDP administrator will provide the Public Key on the CipherTrust Manager (refer to Enable JWT Verification for details) and CRDP will use this key to verify the JWT.

JWKS URL

CRDP administrator will provide the JWKS URL on the CipherTrust Manager (refer to Enable JWT Verification for details) and CRDP will fetch the key set using this URL. To find the public key, CRDP will use the key identifier and verify the JWT using this key.

Suggest A Change

Authorization using JWT Verification

On this page