Syntax:
com.ibi.edaqm.XDJWTCreateTokenFromPlaintextAgent
Description:
The com.ibi.edaqm.XDJWTCreateTokenFromPlaintextAgent service creates, and optionally, signs a JSON Web Token consisting of the following three parts:
The service generates a token in compact form. The three parts are serialized and separately encoded in Base64url, and then concatenated together with separating periods (.).
The resulting value can be embedded in an HTTP response later, for example by creating a Set-Cookie header.
Parameters:
The following tables describe the parameters of the JSON Web Token Create from Plaintext service.
Main
Parameter |
Description |
---|---|
Plaintext |
Opaque string to be used as the token payload, for example this can be the plaintext of a JSON Web Encryption (JWE) structure. |
Output Register |
Name of a special register where the generated token will be stored. |
Note: The generated token is stored in a special register. The output document is the input document.
Headers
Parameter |
Description |
---|---|
Type |
The "typ" (type) header is used by JWT applications to declare the media type of this token. The Type (typ) header is often left empty. It can be set to JWT to declare this is a JSON Web Token. |
Content Type |
The "cty" (content type) header is used to convey structural information about the token. The recommended value is empty for regular tokens and JWT for tokens with a nested JWT as the payload. The recommended value for the Content Type (cty) header is empty for tokens with claims encoded as members of a JSON object. |
Key Id Source |
Specifies how the "kid" (key id) header is computed. This header identifies the signature key. An application can use that header value to retrieve the key to validate the signature. A Key Fingerprint requires a public key. The Key Id Source parameter determines how the kid header is created. Selecting None does not create a kid header. Choosing Key Alias sets the kid header to the value of the Key Alias. Selecting Key Fingerprint sets the kid header to the fingerprint of the public key associated with the signature private key. The Key Fingerprint option is not applicable when the signature algorithm uses a symmetric secret key. Choosing Key Id Parameter sets the kid header to the value of the Key Id parameter. |
Key Id |
Value of the "kid" (key id) header when the Key Id Source is Key Id Parameter, otherwise it is ignored. |
Header Namespace |
Special register namespace from which token headers will be taken. The Header Namespace is a way to create custom headers. Each register in that namespace will create a header of the same name. For example, if the Header Namespace is ns, the special register named ns.hdr1 will create a header named hdr1. |
Note: The alg header is always included automatically in the token. The value is taken from the signature Algorithm.
Signature
Parameter |
Description |
---|---|
Algorithm |
Digital signature or MAC algorithm. The supported signature or MAC algorithms are: HS256 HMAC using SHA-256 HS384 HMAC using SHA-384 HS512 HMAC using SHA-512 RS256 RSASSA-PKCS1-v1_5 using SHA-256 RS384 RSASSA-PKCS1-v1_5 using SHA-384 RS512 RSASSA-PKCS1-v1_5 using SHA-512 ES256 ECDSA using P-256 and SHA-256 ES384 ECDSA using P-384 and SHA-384 ES512 ECDSA using P-521 and SHA-512 PS256 RSASSA-PSS using SHA-256 and MGF1 with SHA-256 PS384 RSASSA-PSS using SHA-384 and MGF1 with SHA-384 PS512 RSASSA-PSS using SHA-512 and MGF1 with SHA-512 none No digital signature or MAC performed |
Secret Key |
Symmetric key to use with one of the HMAC signature algorithms. The string is converted to bytes using UTF-8 encoding. The symmetric key can be specified in the Secret Key parameter when the signature algorithm is HMAC. The value is a string that will be converted to a byte array with the UTF-8 encoding. Make sure the resulting byte array is long enough compared to the algorithm length counted in bits. For example, HS256 requires at least 32 bytes. It is also possible to find the symmetric key in a keystore. See the examples for a sample keytool command. The Secret Key or KeyStore Provider name and Key Alias are required, unless the generated token is unsigned. |
KeyStore Provider |
Provider for the keystore containing the signature key. The Secret Key or KeyStore Provider name and Key Alias are required, unless the generated token is unsigned. |
Key Alias |
Alias of the signature key in the keystore. The Secret Key or KeyStore Provider name and Key Alias are required, unless the generated token is unsigned. |
Key Password |
Password for the signature key. If left blank, the password for accessing the keystore will be used. |
Note: For public key signature algorithms, the private is retrieved from a keystore using the specified key alias.
Edges
The following table lists the available edges that are returned by the JSON Web Token Create from Plaintext service (com.ibi.edaqm.XDJWTCreateTokenFromPlaintextAgent).
Edge |
Description |
---|---|
success |
Operation was successful. |
fail_parse |
An iFL expression could not be evaluated. |
fail_operation |
Operation could not be completed successfully. |
Example
The following example creates a minimal token. You must always include at least one claim. This token is unsigned. Parameters not listed have their default value.
Parameter |
Parameter Value |
---|---|
Plaintext |
abcdef |
Algorithm |
HS256 |
Secret Key |
mySecretPassphrase12345678901234 |
The generated token in the jwt special register is:
eyJhbGciOiJIUzI1NiJ9.YWJjZGVm.d2NmvJHLxNTbQVoMglH_haWE6FYCLK8h 9hUO3SklcQk
This token decodes to the following:
{ "alg": "HS256" } . abcdef . [no signature]
In the generated token, the payload is YWJjZGVm, which is the plaintext string encoded in Base64.
See the JSON Web Token Create Service content for more examples.