Web Agents 2024.9

Validate JWT Signature Locally

A flag for whether the agent validates the JWT signature locally:

  • 0: The agent does not validate the JWT signature locally. The agent validates a JWT by doing audience claim validation and callbacks to PingAM.

  • 1: The agent validates the JWT signature locally.

When the agent validates the JWT locally, it checks the signature of the JWT using the public key of the issuer. The JWKS is downloaded from the PingAM endpoint: /oauth2/connect/jwk_uri

Enabling this feature causes the agent to first validate the JWT signature, before continuing with audience claim validation and callbacks to PingAM. This allows for JWT tampering detection early on in the handling of the request, instead of during callbacks to PingAM.

There is an expected drop in performance when enabling this feature.

Default: 0

Property name

com.forgerock.agents.jwt.validate.signature.locally
  Introduced in Web Agent 2024.9

Type

Boolean: true returns true; all other strings return false.

Bootstrap property

Yes

Required property

No

Restart required

No

Copyright © 2010-2024 ForgeRock, all rights reserved.