A padlock sitting on top of a keyboard.

How-To: Create a Private Key for Signing JWT ID Tokens

Feel free to jot this down: RFC7519.

We all have our favourite IETF standards, don’t we?  Something we read again and again in front of the roaring fireplace with our slippers on. Something to chuckle at in darker times, to ponder over, and oh yes, to shed a tear for, whilst contemplating the sheer brilliance of it all.  Well, perhaps I speak for myself, but RFC7519 describing the handy, compact, and downright sexy (as open standards go) JSON Web Token (JWT) is the best of them all. Bravo Jones, et al. Bravo.

OpenID Connect adds user authentication through ID Tokens to the OAuth authorization flow used by the OAuth Toolkit (OTK) to secure APIs. These ID Tokens in JWT format include a header, a payload, and a digital signature.  Everything’s packaged up nicely and Base64Url encoded. How secure you want to make this package is up to you. Since it contains user information and associated claims, we recommend using asymmetric signature verification that requires creating a private key used to sign the JWT.

This short video takes you through the steps on how to configure OTK policies to create a private signing key, select the RS256 signing algorithm, and set up validation using the private key. The test client is used to create an ID token, the token is validated, and the digital signature is verified.

blog by Simon Crum