Skip to main content

The most recent patch for this version is 1.0.3.  Learn more  

Version: 1.0

JWT Parser sample configuration

In this example, the attribute connector is configured to obtain the JWT source from the XACML attribute jwt, which will be provided by the connector host, and store the value of the sub claim in the XACML attribute subjectId.

It's also configured to accept only tokens that meet the following criteria:

  • Have a valid HMAC signature.
  • Have not expired (allowing for a 5-second skew).
  • Are not being used before their activation time, if such a time is present in the token.
  • Have been issued by either trusted-iss or another-trusted-iss.
  • Are intended for the accepted-aud audience.
<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns="http://www.axiomatics.com/attributeconnector/parser/jwt/configuration" identifier="jwtpip1">
  <source>
    <xacmlAttribute Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                    AttributeId="jwt"
                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
  </source>
  <signature>
    <signatureKey>
        {"kty":"oct","k":"NTk2MjhFNUNBNjk1RDc4NjY3RTZCRUIyQzU5MTdFNkU2NjdBQTA2N0I2QjZCRTg5RUI3MUMwQTZDRjYzNTA0MQ"}
    </signatureKey>
  </signature>
  <assertions>
    <notExpired skewInSeconds="5"/>
    <notBefore optional="true"/>
    <issuer value="trusted-iss">
      <value>another-trusted-iss</value>
    </issuer>
    <audience value="accepted-aud"/>
  </assertions>
  <mapping>
    <xacmlAttribute Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
                    AttributeId="subjectId" 
                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
    <claim>sub</claim>
  </mapping>
</configuration>