JWT Signing Profile

The jwt_signing_profile block lets you configure a JSON Web Token signing profile for your gateway. It is referenced in the jwt_sign() function by its required label.

It can also be used (without label) in oauth2, oidc or beta_oauth2 blocks for token_endpoint_auth_methods "client_secret_jwt" or "private_key_jwt" or in oauth2 blocks with grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer", in the absence of an assertion attribute, for configuring a self-signed JWT assertion.

Block name	Context	Label
`jwt_signing_profile`	Definitions Block, OAuth2 Block, OAuth2 AC (Beta) Block, OIDC Block	required if defined in defititions

Attributes

Name	Type	Default	Description
`claims`	object	-	Claims for the JWT payload, claim values are evaluated per request.
`headers`	object	-	Additional HTTP header fields for the JWT, `typ` has the default value `JWT`, `alg` cannot be set.
`key`	string	-	Private key (in PEM format) for `RS` and `ES` variants or the secret for `HS*` algorithms. Mutually exclusive with `key_file`.
`key_file`	string	-	Reference to file containing signing key. Mutually exclusive with `key`. See `key` for more information.
`signature_algorithm`	string	-	Algorithm used for signing: `"RS256"`, `"RS384"`, `"RS512"`, `"HS256"`, `"HS384"`, `"HS512"`, `"ES256"`, `"ES384"`, `"ES512"`.
`ttl`	string	-	The token's time-to-live, creates the `exp` claim.

Duration

Values of type duration are provided as number string followed by a unit listed below.

Example: timeout = "300s"

Duration units	Description
`ns`	nanoseconds
`us` (or `µs`)	microseconds
`ms`	milliseconds
`s`	seconds
`m`	minutes
`h`	hours

Example

jwt_signing_profile "myjwt" {
  signature_algorithm = "RS256"
  key_file = "priv_key.pem"
  ttl = "600s"
  claims = {
    iss = "MyAS"
    iat = unixtime()
  }
  headers = {
    kid = "my-jwk-id"
  }
}

A detailed example can be found here.

< Job (Beta)

JWT >