IBM Security Verify

Expand all | Collapse all

ISAM AAC: how to add optional "jwk" and "jku" in JOSE header of JWS

  • 1.  ISAM AAC: how to add optional "jwk" and "jku" in JOSE header of JWS

    Posted Thu July 29, 2021 10:09 PM
    Hi Team,

    We are trying to add "jku" and "jwk" optional parameter of JOSE header. Based on RFC (https://datatracker.ietf.org/doc/html/rfc7515#section-4) these parameters are optional but there should be some way to configure/add these optional parameters in ISAM. May I know if anyone knows how to customize JOSE header and add optional parameters in header?

    Thanks


    ------------------------------
    Amitesh Singh
    ------------------------------


  • 2.  RE: ISAM AAC: how to add optional "jwk" and "jku" in JOSE header of JWS

    Posted Fri July 30, 2021 05:33 AM
    Amitesh,

    When you're building a JWT, the input will be an STSUUSER object (either within identity mapping rule in STS chain or as input to call to STS from a pre-token mapping rule).
    In this STSUUSER object you need to add Context Attributes which have the name of the header you want to add and type urn:ibm:JWT:header:claim.  These will be added to the header of the JWT when it is created.

    e.g. (in mapping rule of JWT creation STS chain):
    var myJku = "myJkuValue";
    
    var attr1 = new com.tivoli.am.fim.trustserver.sts.uuser.Attribute(
                  "jku",
                  "urn:ibm:JWT:header:claim",
                  myJku);
    
    stsuu.addContextAttribute(attr1);


    (shout out to @Shane Weeden)

    Cheers... Jon.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: ISAM AAC: how to add optional "jwk" and "jku" in JOSE header of JWS

    Posted Fri July 30, 2021 05:48 AM
    Thanks a lot Jon for your response. Type urn:ibm:JWT:header:claim is a key, I was trying wrong type hence not getting added to header. I will try this. Thank you.

    ------------------------------
    Amitesh Singh
    ------------------------------