Version: 1.1

JWT Parser Schema

The schema definition for the attribute connector configuration is available below in XML, and JSON/YAML format.

XML
JSON/YAML

jwt-parser.config.xsd
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
           targetNamespace="http://www.axiomatics.com/attributeconnector/parser/jwt/configuration"
           xmlns:tns="http://www.axiomatics.com/attributeconnector/parser/jwt/configuration"
           elementFormDefault="qualified">

  <xs:element name="configuration" type="tns:configurationType"/>

  <xs:complexType name="configurationType">
    <xs:sequence>
      <xs:element name="source" type="tns:sourceType"/>
      <xs:element name="signature" type="tns:signatureType"/>
      <xs:element name="assertions" type="tns:assertionsType"/>
      <xs:element name="mapping" type="tns:mapping" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="identifier" type="xs:string" use="required">
      <xs:annotation>
        <xs:documentation>The globally unique identifier for this configuration.
          The identifier is used to generate unique identifiers for the mappings.
          Each mapping must have a globally unique deterministic identifier for
          attribute caching to work correctly.
        </xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:complexType>

  <xs:complexType name="mapping">
    <xs:sequence>
      <xs:element name="xacmlAttribute" type="tns:xacmlAttributeType">
        <xs:annotation>
          <xs:documentation>This is the XACML attribute e.g. user.department the PDP is looking for.
          </xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="claim" type="xs:string">
        <xs:annotation>
          <xs:documentation>This is the token payload claim that will be mapped to the attribute.</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="xacmlAttributeType">
    <xs:attribute name="Category" type="xs:string" use="required"/>
    <xs:attribute name="AttributeId" type="xs:string" use="required"/>
    <xs:attribute name="DataType" type="xs:string" use="required"/>
    <xs:attribute name="Issuer" type="xs:string"/>
  </xs:complexType>

  <xs:complexType name="sourceType">
    <xs:choice>
      <xs:element name="xacmlAttribute" type="tns:xacmlAttributeType"/>
      <xs:element name="token" type="tns:tokenType"/>
    </xs:choice>
  </xs:complexType>

  <xs:complexType name="tokenType">
    <xs:simpleContent>
      <xs:extension base="xs:string">
        <xs:attribute name="src" type="xs:string"/>
      </xs:extension>
    </xs:simpleContent>
  </xs:complexType>

  <xs:complexType name="signatureType">
    <xs:sequence>
      <xs:element name="signatureKey" type="tns:signatureKeyType" minOccurs="0"/>
    </xs:sequence>
    <xs:attribute name="allowUnsecured" type="xs:boolean" default="false"/>
    <xs:attribute name="allowAny" type="xs:boolean" default="false"/>
  </xs:complexType>

  <xs:complexType name="signatureKeyType">
    <xs:simpleContent>
      <xs:extension base="xs:string">
        <xs:attribute name="src" type="xs:string"/>
      </xs:extension>
    </xs:simpleContent>
  </xs:complexType>

  <xs:complexType name="assertionsType">
    <xs:all>
      <xs:element name="notExpired" type="tns:timeAssertionType" minOccurs="0"/>
      <xs:element name="notBefore" type="tns:timeAssertionType" minOccurs="0"/>
      <xs:element name="issuer" type="tns:standardAssertionType" minOccurs="0"/>
      <xs:element name="audience" type="tns:standardAssertionType" minOccurs="0"/>
    </xs:all>
  </xs:complexType>

  <xs:complexType name="timeAssertionType">
    <xs:attribute name="optional" type="xs:boolean"/>
    <xs:attribute name="skewInSeconds" type="xs:integer"/>
  </xs:complexType>

  <xs:complexType name="standardAssertionType">
    <xs:sequence>
      <xs:element name="value" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="optional" type="xs:boolean"/>
    <xs:attribute name="value" type="xs:string"/>
  </xs:complexType>
</xs:schema>

jwt.parser.config.json
{
  "$schema" : "https://json-schema.org/draft/2020-12/schema",
  "$defs" : {
    "NamedAttribute" : {
      "type" : "object",
      "properties" : {
        "attributeId" : {
          "type" : "string"
        },
        "category" : {
          "type" : "string"
        },
        "datatype" : {
          "type" : "string"
        },
        "issuer" : {
          "type" : "string"
        }
      }
    },
    "StandardAssertionType" : {
      "type" : "object",
      "properties" : {
        "optional" : {
          "type" : "boolean"
        },
        "value" : {
          "type" : "string"
        },
        "values" : {
          "type" : "array",
          "items" : {
            "type" : "string"
          }
        }
      }
    },
    "TimeAssertionType" : {
      "type" : "object",
      "properties" : {
        "optional" : {
          "type" : "boolean"
        },
        "skewInSeconds" : {
          "type" : "integer"
        }
      }
    }
  },
  "type" : "object",
  "properties" : {
    "assertions" : {
      "type" : "object",
      "properties" : {
        "audience" : {
          "$ref" : "#/$defs/StandardAssertionType"
        },
        "issuer" : {
          "$ref" : "#/$defs/StandardAssertionType"
        },
        "notBefore" : {
          "$ref" : "#/$defs/TimeAssertionType"
        },
        "notExpired" : {
          "$ref" : "#/$defs/TimeAssertionType"
        }
      }
    },
    "identifier" : {
      "type" : "string",
      "description" : "The globally unique identifier for this configuration.\n          The identifier is used to generate unique identifiers for the mappings.\n          Each mapping must have a globally unique deterministic identifier for\n          attribute caching to work correctly."
    },
    "mappings" : {
      "type" : "array",
      "items" : {
        "type" : "object",
        "properties" : {
          "attributeName" : {
            "type" : "string",
            "description" : "The name of the attribute to be mapped to the full attribute definition from the dictionary. This is the recommended way to to define an attribute. Alternatively, xacmlAttribute can be used"
          },
          "claim" : {
            "type" : "string",
            "description" : "This is the token payload claim that will be mapped to the attribute."
          },
          "xacmlAttribute" : {
            "$ref" : "#/$defs/NamedAttribute",
            "description" : "This is the XACML attribute e.g. user.department the PDP is looking for."
          }
        },
        "required" : [ "claim" ]
      }
    },
    "signature" : {
      "type" : "object",
      "properties" : {
        "allowAny" : {
          "type" : "boolean"
        },
        "allowUnsecured" : {
          "type" : "boolean"
        },
        "signatureKey" : {
          "type" : "object",
          "properties" : {
            "src" : {
              "type" : "string"
            },
            "value" : {
              "type" : "string"
            }
          }
        }
      }
    },
    "source" : {
      "type" : "object",
      "properties" : {
        "attributeName" : {
          "type" : "string",
          "description" : "The name of the attribute to be mapped to the full attribute definition from the dictionary. This is the recommended way to to define an attribute. Alternatively, xacmlAttribute can be used"
        },
        "token" : {
          "type" : "object",
          "properties" : {
            "src" : {
              "type" : "string"
            },
            "value" : {
              "type" : "string"
            }
          }
        },
        "xacmlAttribute" : {
          "$ref" : "#/$defs/NamedAttribute"
        }
      }
    }
  },
  "required" : [ "assertions", "identifier", "mappings", "signature", "source" ]
}