Software AG Products 10.11 | Administering Integration Server | Configuring Integration Server to Use JWT | Using JWT with Integration Server
 
Using JWT with Integration Server
You can use Integration Server to enable and configure JWT. The figure below illustrates the steps involved in JWT authentication.
Step 1
User sign in (to Token Provider).
To access a protected data or a service residing on Integration Server, client sends a request for a JWT bearer token using his or her credentials to a third-party token provider.
Step 2
Obtain JWT.
After authentication, the token provider creates a JWT and returns it to the client.
Step 3
User uses the JWT.
Every time the client sends a request to access a resource or service in Integration Server, client sends a copy of this to token along with the request to Integration Server. Client sends the JWT in the authorization header using the bearer scheme to authenticate itself.
Step 4
Integration Server validates the JWT.
Based on the issuer to certificate mapping defined in Integration Server Administrator, Integration Server identifies the certificate alias and uses the corresponding public key to verify the signature. If signature verification fails, then the request is rejected.
Note:Integration Server does support unsigned JWTs (JWTs without a signature).
After the signature is verified, Integration Server verifies the claims contained in the JWT payload.
For the claim name...
Integration Server verifies if...
iss
The issuer id matches with the trusted issuer list defined in Integration Server.
sub
The user is mapped to an Integration Server.
aud
The audience value matches with the audience defined in the Global Claim Settings in Integration Server. This can be a list or a single value. If it is a list, then the defined Audience in Integration Server should be one of the value in this list.
exp
The "expiration time" is later than the current time. Integration Server factors in the Skew Mapping before rejecting a token.
nbf
The "not before time" is earlier to the current time. Integration Server factors in the Skew Mapping before rejecting a token.
If verification of any of above claim fails, then Integration Server rejects the request.
Step 5
Integration Server responds to the user.
After validation, Integration Server responds to the client with the requested data or with an appropriate error message.