IPWorks Auth 2020 Kotlin Edition

Questions / Feedback?

Jwt Configuration

The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

JWT Configuration Settings

AllowedSigningAlgorithms:   Allowed signing algorithms when StrictValidation is set to True.

This setting specifics a comma separated list of algorithms that are allowed when StrictValidation is set to true. This allows multiple signing algorithms to be considered acceptable during validation. This setting is only applicable when StrictValidation is set to true. Possible values:

  • HS256
  • HS384
  • HS512
  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512
  • PS256
  • PS384
  • PS512

Example value: HS512,HS256.

AudienceDelimiter:   Defines the character to separate audience values.

This setting specifies the character to used to separate multiple audience values. ClaimAudience may contain multiple values. When multiple values are present they will be separated by this character. The default value is ;.

When setting ClaimAudience that contains multiple audiences specify multiple value separated by the character set here. For instance:


jwt.ClaimAudience = "aud1;aud2";

CompressionAlgorithm:   The compression algorithm to use.

This setting specifies the compression algorithm to use (if any). If set the content will be compressed using the specified algorithm. Possible values are:

  • 0 (none - default)
  • 1 (deflate)
IncludeCertificateFormat:   The certificate values to include in the signed message (if any).

This setting specifies whether information about the Certificate is included in the signed message. When specified, the value here determines the format of the included certificate information. The certificate information is included as a standard JWS header parameter.

Multiple formats may be included in the signed message. The value specified should be the binary 'OR' of one or more of the following values:

Value Description JWS Header Param
0 (0x00 - default) None
1 (0x01) X.509 Certificate Chain x5c
2 (0x02) X.509 Certificate SHA-1 Thumbprint (Base64-URL encoded) x5t
4 (0x04) X.509 Certificate SHA-256 Thumbprint (Base64-URL encoded) x5t#S256

Note: When including the certificate chain (0x01) the public certificate of Certificate will automatically be included. IssuerCerts may also be set to the public issuer certificates that will be used when building the chain to include.

For instance, to include both the certificate chain and SHA-256 thumbprint of the Certificate set this to 5.

InputMessage:   The raw input to process.

This setting optionally specifies the pay payload to process. When calling Sign or Encrypt input is taken from this setting if specified. If a value is set here the Claim* properties are ignored.

IsEncrypted:   Indicates whether the EncodedJWT is encrypted.

This setting may be queried after calling Parse to determine if the EncodedJWT is encrypted.

IsSigned:   Indicates whether the EncodedJWT is signed.

This setting may be queried after calling Parse to determine if the EncodedJWT is signed.

IssuerCerts:   A collection of issuer certificates used with IncludeCertificateFormat.

This setting optionally specifies one or more issuer certificates that may be used by the component when IncludeCertificateFormat is specified. Note that the issuer certificates specified here are used as a store of potential issuer certificates. At runtime the component will inspect the Certificate value and add the relevant issuer certificates that are present in this property.

The format of the value must be one or more PEM encoded certificates with headers and footers. For instance to include 2 issuer certificates the value may be:

-----BEGIN CERTIFICATE-----
MIIBujCCASOgAwIBAgICA+kwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAxMSbnVuaXRDZXJ0
Q2hhaW5Sb290MCAXDTE4MTAxNTA5MDAxN1oYDzIxMTgwOTIxMDkwMDE3WjAmMSQwIgYDVQQD
...
Tr+wi0ouNo7ifWRcE83Z15PhfGn1nkfxMYj4rya5n+V0RVVcgFUdiolCI5o/sYq503a7kH16
JSF5Zw+TiMz/COM8R94=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIBsTCCARqgAwIBAgICA+gwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAxMSbnVuaXRDZXJ0
Q2hhaW5Sb290MCAXDTE4MTAxNTA5MDAxN1oYDzIxMTgwOTIxMDkwMDE3WjAdMRswGQYDVQQD
...
5u2K9PuJ3ySgL7AvYsqbB/e0/gw8j253SOU+gNTpFahOJsLGEJ43CRtaowkLnWEzs+OPnRfw
iQmqruw=
-----END CERTIFICATE-----

KeyEncoding:   The encoding of the Key value.

This setting specifies the encoding that has been applied to the Key. value prior to providing it to the component. The Key is typically represented as an array of bytes, however in some cases the key value may have been encoded. As a matter of convenience the component will accept the key with an encoding already applied. The component will decode the key value according the to the value specified here before processing. Possible values are:

  • 0 (none - default)
  • 1 (base64)

OutputMessage:   The raw output of the operation.

After calling Verify or Decrypt this holds the raw JSON payload. This may be useful for debugging or logging purposes when the JSON payload is desired.

PartyUInfo:   Information about the producer of the message.

This setting may optionally be set when Algorithm is set to an ECDH algorithm before calling Encrypt. When calling Decrypt this setting is populated and also accessible from within the RecipientInfo event. The value may be any string. To specify a base64url encoded value directly prefix the string with [b64]. For instance the following lines both set the same value:


jwe.Config("PartyUInfo=Alice");
jwe.Config("PartyUInfo=[b64]QWxpY2U="); //Equivalent to above line

PartyVInfo:   Information about the recipient of the message.

This setting may optionally be set when Algorithm is set to an ECDH algorithm before calling Encrypt. When calling Decrypt this setting is populated and also accessible from within the RecipientInfo event. The value may be any string. To specify a base64url encoded value directly prefix the string with [b64]. For instance the following lines both set the same value:


jwe.Config("PartyUInfo=Bob");
jwe.Config("PartyUInfo=[b64]Qm9i"); //Equivalent to above line

PBES2Count:   The PBKDF2 iteration count.

This setting specifies the PBDKF2 iteration count. A minimum value of 1000 is recommended. The default value is 1000.

This setting is only applicable when EncryptionAlgorithm is set to a PBES algorithm.

PBES2SaltLength:   The salt input value length.

This setting specifies the length in bytes of the salt input value, which is used as part of the PBKDF2 salt value. The default value is 16.

This setting is only applicable when EncryptionAlgorithm is set to a PBES algorithm.

RawHeader:   Holds the raw JOSE header.

This setting may be queried after calling Sign or Verify to obtain the raw JOSE header. This returns a JSON string like:

{"alg":"ES384","kid":"myKeyId"}

StrictValidation:   Requires specific algorithms when processing.

If set to True the component will validate that the algorithm used in the JWT matches the values specified in EncryptionAlgorithm, ContentEncryptionAlgorithm, and SigningAlgorithm. This is applicable when calling Decrypt and Verify.

By default this is False and the algorithms are read automatically from the encoded JWT.

Base Configuration Settings

BuildInfo:   Information about the product's build.

When queried, this setting will return a string containing information about the product's build.

GUIAvailable:   Tells the component whether or not a message loop is available for processing events.

In a GUI-based application, long-running blocking operations may cause the application to stop responding to input until the operation returns. The component will attempt to discover whether or not the application has a message loop and, if one is discovered, it will process events in that message loop during any such blocking operation.

In some non-GUI applications an invalid message loop may be discovered that will result in errant behavior. In these cases, setting GUIAvailable to false will ensure that the component does not attempt to process external events.

LicenseInfo:   Information about the current license.

When queried, this setting will return a string containing information about the license this instance of a component is using. It will return the following information:

  • Product: The product the license is for.
  • Product Key: The key the license was generated from.
  • License Source: Where the license was found (e.g. RuntimeLicense, License File).
  • License Type: The type of license installed (e.g. Royalty Free, Single Server).
UseDaemonThreads:   Whether threads created by the component are daemon threads.

If set to True (default), when the component creates a thread the thread's Daemon property will be explicitly set to True. When set to False the component will not set the Daemon property on the created thread. The default value is True.

UseInternalSecurityAPI:   Tells the component whether or not to use the system security libraries or an internal implementation.

By default the component will use the system security libraries to perform cryptographic functions. Setting this to True tells the component to use the internal implementation instead of using the system's security API.

Copyright (c) 2021 /n software inc. - All rights reserved.
IPWorks Auth 2020 Kotlin Edition - Version 20.0 [Build 7941]