External JWT Authentication
Authenticate users using externally created JSON Web Tokens (JWT). In this setup, your 3rd-party provider creates JWTs
Prerequisites for JWT Authentication
You have an external JWT identity provider that is issuing JWTs to your users.
You have configured a user directory to PrivX from which PrivX can resolve users by JWT subject.
JWTs from your identity provider must include the following claims:
Headers
alg
: Algorithm used for generating the JWT.typ
: JWT
Payload
sub
: subject name in either plain or DN format (for examplealice
orCN=alice,DC=example,DC=com
).iss
: Issuer name
Additionally if PrivX is configured to fetch JWT signature verification certificates or keys from network, then the JWT header must include the
x5u
claim.If the JWT token payload includes the optional
iat
,nbf
orexp
claims then PrivX verifies those timestamps against local server time.
PrivX can validate JWTs against locally stored public key(s) or against public keys/certificates located at a X.509 URL. Typically you only need one or the other, not both.
Example of a JWT with minimal claims:
{
"headers": {
"alg": "RS256",
"typ": "JWT",
"x5u": "https://idp.example.com/v1/k/12345"
}
"payload": {
"iss": "issuer12345",
"sub": "alice"
}
}
External JWT-Validation Setup
To add your JWT issuer as a trusted provider to PrivX:
On Administration→Deployment→External Token Authentication, click Add New Provider.
Provide the information about your JWT identity provider, which is used for validating users' JWTs. You will at least need to provide the General, Public key, and Token validation settings.
Select a user directory from which PrivX resolves users by JWT subject.
Set Subject type according to the format of your JWT tokens'
sub
claim. For example, set to Plain if thesub
claim only contains the user name:"sub": "alice"
As another example, if the
sub
claim is in DN notation with the user name in the cn attribute:"sub": "cn=alice,dc=example,dc=com"
You should set Subject type to DN, and DN attribute to cn.
In both of the previous examples PrivX will search user
alice
from the configured user directory.Set Public key method to one of the following:
Use Token Provider Public Key
Specify one or more signer's public keys and corresponding
kid
s. The incoming JWT Token will be verified against these public keys. The JWT token's optionalkid
claim will be used as a hint for selecting the public key. If JWT token does not contain akid
claim then signature verification is attempted with all configured public keys.Fetch Token Provider Certificate From X5U Header
This method is used when JWT token's
x5u
header claim refers to a resource for an X.509 public key certificate or certificate chain. PrivX fetches the certificate from thex5u
URL, validates the certificate and verifies the JWT signature using the public key extracted from the leaf certificate.Specify one or more X.509 certificates in X5U Trust Anchor. These trust anchor certificates are used for validating the X.509 certificate fetched from the
x5u
URL.You can optionally specify an X5U Prefix for enforcing that the JWT token's
x5u
claim must have a specific https URL prefix.Optionally specify X5U TLS Trust Anchors within this method. You can provide one or more X.509 certificates to be used for validating the server TLS certificate when making HTTPS request to
x5u
URL, otherwise, a system trusted trust anchor configuration is used instead.Fetch Token Provider Public Key From X5U Header
This method is used when a JWT X5U Header Parameter refers to a resource for a PKIX PEM format public key. PrivX verifies that the
x5u
URL starts with an allowed URL prefix, fetches the public key from the URL and uses it to verify the JWT signature.Specify an X5U Prefix for enforcing that the JWT token's
x5u
claim must have a specific https URL prefix.Optionally X5U TLS Trust Anchors can also be specified within this method. You can provide one or more X.509 certificates to be used for validating the server TLS certificate when making HTTPS request to
x5u
URL, otherwise, a system trusted trust anchor configuration is used instead.
Set Issuer to correspond with the
iss
claim in your JWT tokens.Optionally you can specify audience which must be present in the JWT token's
aud
claim.(Optional) Under Custom parameter validation, you may specify additional claims that need to be satisfied for authentication. Possible value types include:
String pattern: The expected value compares a claim value to a glob pattern.
Numeric range: The claim value will be checked if it is within an expected numeric range.
IP range: The claim value will be checked if it is within an expected IP range. Can be either IPv4 for IPV6. CIDR notation is unsupported.
Client IP: The claim value will be checked if it matches the IP address from which the token login REST API request is made.
For the JWT token to pass each custom parameter validation the claim must either have a single matching value or it must have an array of values of which at least one value matches.
Save your settings.
You may verify back on the Administration→Deployment→External Token Authentication page that the new identity provider has been added.
JWTs provided by the identity provider can now be used for authentication to PrivX. You can exchange the JWT token to a PrivX access token using the API endpoint /auth/api/v1/token/login.