StatelessAccessTokenResolver
Locally resolve and validate stateless access tokens issued by AM, without referring to AM.
AM can be configured to secure access tokens by signing or encrypting. The StatelessAccessTokenResolver must be configured for signature or encryption according to the AM configuration.
Usage
Use this resolver with the accessTokenResolver
property of
OAuth2ResourceServerFilter.
"accessTokenResolver": {
"type": "StatelessAccessTokenResolver",
"config": {
"issuer": configuration expression<string>,
"secretsProvider": SecretsProvider reference,
"verificationSecretId": configuration expression<secret-id>, // Use "verificationSecretId" or
"decryptionSecretId": configuration expression<secret-id>, // "decryptionSecretId", but not both
"skewAllowance": configuration expression<duration>,
"signatureSecretId" : configuration expression<secret-id>, //deprecated
"encryptionSecretId" : configuration expression<secret-id> //deprecated
}
}
Properties
"issuer"
: configuration expression<string>, required-
URI of the AM instance responsible for issuing access tokens.
"secretsProvider"
: SecretsProvider reference, optional-
The SecretsProvider to use to resolve queried secrets, such as passwords and cryptographic keys. Provide either the name of a SecretsProvider object defined in the heap, or specify a SecretsProvider object inline.
Default: The route’s default secret service. For more information, see Default secrets object.
"verificationSecretId"
: configuration expression<secret-id>, required if AM secures access tokens with a signature-
The secret ID for the secret used to verify the signature of signed access tokens.
Depending on the type of secret store that is used to verify signatures, use the following values:
-
For JwkSetSecretStore, use any non-empty string that conforms to the field convention for secret-id. The value of the string is not used.
-
For other types of secret stores:
-
null
: No signature verification is required. -
A
kid
as a string: Signature verification is required with the providedkid
. The StatelessAccessTokenResolver searches for the matchingkid
in the SecretsProvider or global secrets service.
-
For information about how signatures are validated, see Validating the signature of signed tokens. For information about how each type of secret store resolves named secrets, see Secrets.
Use either
verificationSecretId
ordecryptionSecretId
, according to the configuration of the token provider in AM. If AM is configured to sign and encrypt tokens, encryption takes precedence over signing. -
"decryptionSecretId"
: configuration expression<secret-id>, required if AM secures access tokens with encryption-
The secret ID for the secret used to decrypt the JWT, for confidentiality.
Use either
verificationSecretId
ordecryptionSecretId
, according to the configuration of the token provider in AM. If AM is configured to sign and encrypt the token, encryption takes precedence over signing.
"skewAllowance"
: configuration expression<duration>, optional-
The duration to add to the validity period of a JWT to allow for clock skew between different servers. To support a zero-trust policy, the skew allowance is by default zero.
A
skewAllowance
of 2 minutes affects the validity period as follows:-
A JWT with an
iat
of 12:00 is valid from 11:58 on the IG clock. -
A JWT with an
exp
13:00 is expired after 13:02 on the IG clock.
Default:
zero
-
"signatureSecretId"
: configuration expression<secret-id>, optional-
This property is deprecated. Use verificationSecretId
instead. For more information, refer to Deprecation.The secret ID for the secret used to verify the signature.
"encryptionSecretId"
: configuration expression<secret-id>, optional-
This property is deprecated. Use decryptionSecretId
instead. For more information, refer to Deprecation.The secret ID for the secret used to decrypt data.
Example
For examples of how to set up and use StatelessAccessTokenResolver to resolve signed and encrypted access tokens, see Validate stateless access tokens with the StatelessAccessTokenResolver.