JwtBuilderFilter

[sheger]

Are there any plans to add a JwtBuilderFilter to OpenIG? This would be what ForgeRock added in version 6.1

[vharseko]

The JwtBuilderFilter collects data from template and puts the name-value pairs into a JWT structure. Then the JWT structure is placed in a context JwtBuilderContext for downstream use.

This filter can produce:

• unsecured (unsigned JWT are deprecated as not secure)
• signed JWT
• signed then encrypted JWT
• encrypted JWT

 {
      "type": "JwtBuilderFilter",
      "config": {
          "template"              :     map/expression       [REQUIRED]
          "secretsProvider":      :     Secrets Provider     [OPTIONAL - resolve signing/encryption keys.]
          "signature"             : {   object               [OPTIONAL but if set, inner attributes MAY BE REQUIRED]
              "secretId"            :     expression           [REQUIRED - secret ID of the key used for signing]
              "algorithm"           :     expression           [OPTIONAL - default to RS256 (1)]
              "encryption"          : {   object               [OPTIONAL but if set, inner attributes are REQUIRED]
                  "secretId"            :   expression           [REQUIRED - secret ID of the key used for encryption]
                  "algorithm"           :   expression           [REQUIRED - The encryption algorithm (2)]
                  "method"              :   expression           [REQUIRED - The encryption method (3)]
              }
          }
          "encryption"          : {   object                 [OPTIONAL but if set, inner attributes are REQUIRED]
              "secretId"            :   expression             [REQUIRED - secret ID of the key used for encryption]
              "algorithm"             :   expression           [REQUIRED - The encryption algorithm (2)]
              "method"                :   expression           [REQUIRED - The encryption method (3)]
          }
      }
 }

(1) List of JWS Algorithms (2) List of JWE Algorithms (3) List of Encryption Methods

Example of use - unsecured(unsigned) JWT (deprecated):

 {
      "type": "JwtBuilderFilter",
      "config": {
          "template": {
              "mail": "${contexts.userProfile.rawInfo.mail[0]}",
              "employeeNumber": "${contexts.userProfile.rawInfo.employeeNumber[0]}"
          }
      }
   }

Example for signing a JWT:

{
      "type": "JwtBuilderFilter",
      "config": {
          "template": "${attributes.userProfile}",
          "signature": {
              "secretId": "my.signature.key",
              "algorithm": "HS384"
          }
      }
 }

Example for signing then encrypting a JWT:

{
      "type": "JwtBuilderFilter",
      "config": {
          "template": {
              "mail": "${contexts.userProfile.rawInfo.mail[0]}",
              "employeeNumber": "${contexts.userProfile.rawInfo.employeeNumber[0]}"
          },
          "signature": {
              "secretId": "my.signature.key",
              "algorithm": "HS256",
              "encryption": {
                  "secretId": "my.encryption.key",
                  "algorithm": "dir",
                  "method": "A128CBC-HS256"
              }
          }
      }
 }

Example for encrypting a JWT:

{
      "name": "JwtBuilderFilter-1",
      "type": "JwtBuilderFilter",
      "config": {
          "template": "${attributes.userProfile}",
          "secretsProvider": "SystemAndEnvSecretStore-1"
          "encryption": {
              "secretId": "my.encryption.key",
              "algorithm": "dir",
              "method": "A128GCM"
          }
      }
 }

[sheger]

Are you adding context to support the addition of a JwtBuilderFilter or are you saying this functionality exists today in OpenIG 5.3.1?

[vharseko]

planned only