JWT Signing Profile
The jwt_signing_profile
block lets you configure a JSON Web Token signing
profile for your gateway. It is referenced in the jwt_sign()
function
by its required label.
It can also be used (without label) in oauth2
, oidc
or
beta_oauth2
blocks for token_endpoint_auth_method
s "client_secret_jwt"
or "private_key_jwt"
or in oauth2
blocks with
grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer"
, in the absence of an
assertion
attribute, for configuring a self-signed JWT assertion.
Block name | Context | Label |
---|---|---|
jwt_signing_profile | Definitions Block, OAuth2 Block, OAuth2 AC (Beta) Block, OIDC Block | required if defined in defititions |
Attributes
Name | Type | Default | Description |
---|---|---|---|
claims | object | - | Claims for the JWT payload, claim values are evaluated per request. |
headers | object | - | Additional HTTP header fields for the JWT, |
key | string | - | Private key (in PEM format) for |
key_file | string | - | Reference to file containing signing key. Mutually exclusive with |
signature_algorithm | string | - | Algorithm used for signing: |
ttl | string | - | The token's time-to-live, creates the |
Duration
Example: timeout = "300s"
Duration units | Description |
---|---|
ns | nanoseconds |
us (or ยตs ) | microseconds |
ms | milliseconds |
s | seconds |
m | minutes |
h | hours |
Example
jwt_signing_profile "myjwt" {
signature_algorithm = "RS256"
key_file = "priv_key.pem"
ttl = "600s"
claims = {
iss = "MyAS"
iat = unixtime()
}
headers = {
kid = "my-jwk-id"
}
}
A detailed example can be found here.