A JSON Web Token (JWT) conforming to RFC-7519, that provides an RP with the ability to establish SKFS as an Identity Provider (IDP) to enable single sign-on (SSO) for users with other web applications within their domain.
In an organization where users use multiple applications, it may be an acceptable security policy to have users authenticate to SKFS (serving as an internal IDP) and use JWT returned by SKFS to provide evidence of authentication to other applications configured to trust the JWT.
StrongKey currently provides Java source code that companies may use as-is or modify, based on terms defined in the Lesser Gnu Public License (LGPL), for as many applications as necessary.
The process companies might use works as follows:
- Unauthenticated users attempt to use a web application.
- Not seeing a JWT, they are redirected to the internal IDP to authenticate with a FIDO credential (which they previously registered).
- Upon successfully authenticating, they are redirected back to the application.
- The application retrieves the JWT and verifies it based on the trust policy defined by the JWT.
- Upon successful verification, they continue using the application.
- Every other application they use based on the trust established by the JWT will repeat steps #4 and #5 without having to have the user authenticate again.
The JWT itself is defined by and consists of a Header, Payload, and a Signature decoded as follows:
{
"alg": "SHA256withECDSA",
"x5c": "-----BEGIN CERTIFICATE-----\nMIICdjCCAdcCCQCGceih8aUs4zAKBggqhkjOPQQDAjBzMQswCQYDVQQGEwJVUzET\nMBEGA1UECAwKQ2FsaWZvcm5pYTETMBEGA1UEBwwKQ3VwZXJ0aW50bzETMBEGA1UE\nCgwKU3Ryb25nQXV0aDEUMBIGA1UECwwLRW5naW5lZXJpbmcxDzANBgNVBAMMBkpX\nVCBDQTAeFw0yMTA4MDUxNzE3NDFaFw0yMjA4MDUxNzE3NDFaMIGKMQswCQYDVQQG\nEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTETMBEGA1UEBwwKQ3VwZXJ0aW50bzET\nMBEGA1UECgwKU3Ryb25nQXV0aDEUMBIGA1UECwwLRW5naW5lZXJpbmcxJjAkBgNV\nBAMMHUpXVCBTaWduaW5nIENlcnRpZmljYXRlIDEuMS4yMIGbMBAGByqGSM49AgEG\nBSuBBAAjA4GGAAQAZCuVW10Ve63VfKtKgTmtkf00A+vVbnxFdCgff38v2kyfmqUh\nwo7e21LKt/aJFD9z5OTKtLsRy1WKHZOtbEC1+YEAk+b+YIKwmfp91Zv+S5Qy+r6n\nPACE3ObE5UI/LAAf4KVrGQsTSOZ5U1ztFbTeR3jCjXzrwNctax4wyuwuXDP/HOIw\nCgYIKoZIzj0EAwIDgYwAMIGIAkIBFoyT/KKi1oTlI9vbyoHK9n0cA/8H90cmZH7M\nxXHWdrRTTAc68ItUBaF28qO5OK9RELScyeFBDVMRtXmGqNIfaG4CQgHigq01wNa/\nXd3PxPqXnwLZ/wyFpZ5ZkfWPmn3afM0fgAoz+OUSjp9cXM1oBtpJV7v82ik/Ioux\nCl2S0KhHycb5BA==\n-----END CERTIFICATE-----\n"
}
{
"rpid": "strongkey.com",
"iat": "Tue Sep 07 11:30:36 -0700 2021",
"exp": "Tue Sep 07 12:00:36 -0700 2021",
"cip": "10.0.0.2",
"uname": "hroark",
"agent": "Apache-HttpClient/4.5.13 (Java/1.8.0_131)"
}
|
alg |
A COSE algorithm that describes of what the digital signature is composed. In this example, the test JSON shows the use of the ECDSA signing algorithm with the SHA256 message digest (hash). This attribute is part of the Header of the JWT. |
|
x5c |
A digital certificate representing the signer of the JWT. In this example, it is a test certificate. This attribute is part of the JWT Header. |
|
rpid |
The domain identifier of the RP. This attribute is part of the JWT Payload. |
|
iat |
The time at which the JWT was issued. This attribute is part of the JWT Payload. |
|
exp |
The time at which the JWT expires. This attribute is part of the JWT Payload. |
|
cip |
The TCP/IP address of the client device where the user was authenticated and was issued the JWT. This attribute is part of the JWT Payload. |
|
uname |
The username at the client device that was authenticated and issued the JWT. This attribute is part of the JWT Payload. |
|
agent |
The string describing the “user-agent” that was used to authenticate to SKFS and was issued the JWT. This attribute is part of the JWT Payload. |
NOTE: The values of the JWT are most likely to change in the next release to conform to RFC-7519. However, the code in the JWT Verifier will also change to conform to the changes in the JWT.