PingFederate Server

Configuring a JWT Token Processor 1.2 instance

The PingFederate security token services (STS) provides validation for JSON web tokens (JWTs).

About this task

When configuring a JWT Token Processor instance to validate incoming JWTs, the system relies on a JSON Web Key Set (JWKS) to verify the token’s signature. For the validation to succeed, specific attributes in the JWK must match corresponding information in the JWT header.

You can find more information about each attribute in the following table:

Required JWK Attributes for JWT Validation
Attribute Description

kid

The kid (key ID) parameter matches a specific key.

use

The use (public key use) parameter identifies the intended use of the public key. use indicates a public key is used for verifying the data signature.

The parameter value must be sig.

alg

The alg (algorithm) parameter must match the kty (key type parameter), which is the cryptographic algorithm family used with the key.

Learn more in JSON Web Key (JWK).

Steps

To configure the JWT Token Processor Instance:

  1. Go to Authentication > Token Exchange > Token Processors.

  2. On the Instance Configuration tab, enter the required information.

    See the following table for information about each field.

    JWT Token Processor instance field names and descriptions
    Field Description

    JWKS Endpoint URI

    The URI of the JWKS endpoint. A set of JSON Web Keys (JWK) are downloaded from this endpoint and used for JWT signature verification.

    Issuer

    A unique identifier for the issuer of the JWT.

    Expiry Tolerance

    The amount of time, in seconds, to allow for clock skew between servers. Valid range is 0 to 3600.