Using JWT Sessions
JwtSession objects store session information in JWT cookies on the user-agent. The following sections describe how to set authenticated encryption for JwtSession, using symmetric keys.
Authenticated encryption encrypts data and then signs it with HMAC, in a single step. For more information, see Authenticated encryption. For information about JwtSession, see "JwtSession".
Encrypting JWT Sessions
This section describes how to set up a keystore with a symmetric key for authenticated encryption of a JWT session.
Generate a keystore to contain the encryption key, where the keystore and the key have the password
password
:$
keytool \ -genseckey \ -alias symmetric-key \ -keystore /path/to/secrets/jwtsessionkeystore.pkcs12 \ -storepass password \ -storetype pkcs12 \ -keyalg HmacSHA512 \ -keysize 512
Note
Because KeyStore converts all characters in its key aliases to lower case, use only lowercase in alias definitions of a KeyStore.
Add the following route to IG:
$HOME/.openig/config/routes/jwt-session-encrypt.json
%appdata%\OpenIG\config\routes\jwt-session-encrypt.json
{ "name": "jwt-session-encrypt", "heap": [{ "name": "KeyStoreSecretStore-1", "type": "KeyStoreSecretStore", "config": { "file": "/path/to/secrets/jwtsessionkeystore.pkcs12", "storeType": "PKCS12", "storePassword": "keystore.secret.id", "secretsProvider": ["SystemAndEnvSecretStore-1"], "mappings": [{ "secretId": "jwtsession.symmetric.secret.id", "aliases": ["symmetric-key"] }] } }, { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" } ], "session": { "type": "JwtSession", "config": { "authenticatedEncryptionSecretId": "jwtsession.symmetric.secret.id", "encryptionMethod": "A256CBC-HS512", "secretsProvider": ["KeyStoreSecretStore-1"], "cookie": { "name": "IG", "domain": ".example.com" } } }, "handler": { "type": "StaticResponseHandler", "config": { "status": 200, "reason": "OK", "headers": { "Content-Type": [ "text/plain" ] }, "entity": "Hello world!" } }, "condition": "${request.uri.path == '/jwt-session-encrypt'}" }
Notice the following features of the route:
The route matches requests to
/jwt-session-encrypt
.The KeyStoreSecretStore uses the SystemAndEnvSecretStore in the heap to manage the store password.
The JwtSession uses the KeyStoreSecretStore in the heap to manage the session encryption secret.
In the terminal where you will run the IG instance, create an environment variable for the value of the keystore password:
$
export KEYSTORE_SECRET_ID='cGFzc3dvcmQ='
The password is retrieved by the SystemAndEnvSecretStore, and must be base64-encoded.