Couper Documentation

edge

JWT Signing Profile

The jwt_signing_profile block lets you configure a JSON Web Token signing profile for your gateway. It is referenced in the jwt_sign() function by its required label.

It can also be used (without label) in oauth2, oidc or beta_oauth2 blocks for token_endpoint_auth_methods "client_secret_jwt" or "private_key_jwt" or in oauth2 blocks with grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer", in the absence of an assertion attribute, for configuring a self-signed JWT assertion.

Block nameContextLabel
jwt_signing_profileDefinitions Block, OAuth2 Block, OAuth2 AC (Beta) Block, OIDC Blockrequired if defined in defititions

Attributes

NameTypeDefaultDescription
claims
object
-

Claims for the JWT payload, claim values are evaluated per request.

headers
object
-

Additional HTTP header fields for the JWT, typ has the default value JWT, alg cannot be set.

key
string
-

Private key (in PEM format) for RS* and ES* variants or the secret for HS* algorithms. Mutually exclusive with key_file.

key_file
string
-

Reference to file containing signing key. Mutually exclusive with key. See key for more information.

signature_algorithm
string
-

Algorithm used for signing: "RS256", "RS384", "RS512", "HS256", "HS384", "HS512", "ES256", "ES384", "ES512".

ttl
string
-

The token's time-to-live, creates the exp claim.

Duration

Values of type duration are provided as number string followed by a unit listed below.

Example: timeout = "300s"

Duration unitsDescription
nsnanoseconds
us (or ยตs)microseconds
msmilliseconds
sseconds
mminutes
hhours

Example

jwt_signing_profile "myjwt" {
  signature_algorithm = "RS256"
  key_file = "priv_key.pem"
  ttl = "600s"
  claims = {
    iss = "MyAS"
    iat = unixtime()
  }
  headers = {
    kid = "my-jwk-id"
  }
}

A detailed example can be found here.