How-To: Create a Private Key for Signing JWT ID Tokens

Feel free to jot this down: RFC7519.

We all have our favourite IETF standards, don’t we?  Something we read again and again in front of the roaring fireplace with our slippers on. Something to chuckle at in darker times, to ponder over, and oh yes, to shed a tear for, whilst contemplating the sheer brilliance of it all.  Well, perhaps I speak for myself, but RFC7519 describing the handy, compact, and downright sexy (as open standards go) JSON Web Token (JWT) is the best of them all. Bravo Jones, et al. Bravo.

OpenID Connect adds user authentication through ID Tokens to the OAuth authorization flow used by the OAuth Toolkit (OTK) to secure APIs. These ID Tokens in JWT format include a header, a payload, and a digital signature.  Everything’s packaged up nicely and Base64Url encoded. How secure you want to make this package is up to you. Since it contains user information and associated claims, we recommend using asymmetric signature verification that requires creating a private key used to sign the JWT.

This short video takes you through the steps on how to configure OTK policies to create a private signing key, select the RS256 signing algorithm, and set up validation using the private key. The test client is used to create an ID token, the token is validated, and the digital signature is verified.

blog by Simon Crum

Aric Day

Aric Day

Aric is based in Minneapolis, MN and has been managing Enterprise API programs for more than 10 years as both an operations sysadmin and an api security consultant designing api integration standards. He currently serves Layer7 North American core accounts within the central and western regions. In previous roles he has worked as an automation and api security consultant with both Accenture and Best Buy. Aric has an engineering degree from the University of Minnesota. He is active as a youth hockey coach in winter and enjoys getting outdoors during the brief MN summer months.

Share With Your Network

Share on twitter
Share on linkedin
Share on facebook
Share on email
Share on print