JWT Parser sample configuration
In this example, the attribute connector is configured to obtain the JWT source from the XACML attribute jwt, which will be provided by the connector host, and store the value of the sub claim in the XACML attribute subjectId.
It's also configured to accept only tokens that meet the following criteria:
- Have a valid HMAC signature.
- Have not expired (allowing for a 5-second skew).
- Are not being used before their activation time, if such a time is present in the token.
- Have been issued by either
trusted-issoranother-trusted-iss. - Are intended for the
accepted-audaudience.
<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns="http://www.axiomatics.com/attributeconnector/parser/jwt/configuration" identifier="jwtpip1">
<source>
<xacmlAttribute Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="jwt"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</source>
<signature>
<signatureKey>
{"kty":"oct","k":"NTk2MjhFNUNBNjk1RDc4NjY3RTZCRUIyQzU5MTdFNkU2NjdBQTA2N0I2QjZCRTg5RUI3MUMwQTZDRjYzNTA0MQ"}
</signatureKey>
</signature>
<assertions>
<notExpired skewInSeconds="5"/>
<notBefore optional="true"/>
<issuer value="trusted-iss">
<value>another-trusted-iss</value>
</issuer>
<audience value="accepted-aud"/>
</assertions>
<mapping>
<xacmlAttribute Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="subjectId"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<claim>sub</claim>
</mapping>
</configuration>