Create a generation JSON Web Token (JWT) profile to specify how Pega Platform generates a given JWT.
To generate a JWT, Pega Platform processes this
generation JWT profile with the pxGenerateJWT
activity. The generation JWT
profile data instance consists of one or more headers, claims and a security configuration
specifying no security, a signed token, an encrypted token, or a combination that uses both
signing and encryption.
The
profile can specify a token lifetime and timeout option as well as if the profile should
also include a processing JWT profile.
You can use JWTs to exchange information securely between Pega Platform
and another party and to encrypt the data to be transmitted. Common uses for JWTs in
Pega Platform include:
- Authentication – The JWT holds user information that can be used by another party to
authenticate the identity of the user presenting the token.
- Session management – The JWT ensures the secure exchange of information during user
authenticated sessions.
By default Pega Platform automatically adds the following parameters to
the JWT header when it generates the token:
After you create a generation JWT profile, you can view the details of the token that the
profile will generate by clicking Preview.
-
In the navigation panel, click .
-
Click Create.
-
In the Token Type field, select JSON Web
Token.
-
In the Purpose field, select Generation
to create a token profile for generating a new JWT.
-
Enter a token profile name and short description.
-
Click Create and open.
-
In the Headers section, you can supplement the default JWT
header parameters with additional parameters by clicking the Add
icon and completing the Name, Description,
Map from fields.
-
In the Claims section, add a set of Registered
claims to the payload of the token.
-
Click the Add icon.
-
In the Name field, press the Down arrow key, and select one
of the available claims:
-
In the Map from field, select whether to map the claim value
to text or to a clipboard property:
- If you selected Constant in the Map
from field, then enter a text string in the Map from
key field.
- If you selected Clipboard in the Map
from field, then enter a property name on the clipboard in the
Map from key field.
-
In the Claims section, add a set of Custom
claims to the payload of the token to share information between parties that
agree to use these claims.
-
Click the Add icon.
-
Complete the Name and Description
fields
-
In the Map from field, select whether to map the claim value
to text or to a clipboard property:
- If you selected Constant in the Map
from field, then enter a text string in the Map from
key field.
- If you selected Clipboard in the Map
from field, then enter a property name on the clipboard in the
Map from key field.
-
In the Security configuration field, specify whether to generate
a signed JWT for a signature, or JSON Web Encryption (JWE) token for content
encryption.
-
Signature – Configure the JWT signature for validation
purposes by a recipient by completing step 11.
-
Encryption – Configure the JWT encryption in order to obscure
its content by completing step 12.
-
Signature & encryption – Use this token for both signature
and data encryption configurations by completing steps 11 and 12.
-
None – Disable security by skipping steps 11 and 12.
-
For JWT signature configuration, in the JSON Web Signature (JWS)
section, complete the following steps.
-
In the Signature type list, select either
Asymmetric or Symmetric.
-
In the Signature algorithm list, press the Down arrow key,
and select an algorithm for signing the token.
-
In the Keystore field, press the Down arrow key, and select
an existing keystore name.
-
In the Alias field, press the Down arrow key, and select the
alias name of the private key in this keystore used to sign the JWT generated from
this JWT profile.
-
In the Password field, enter the keystore password.
Note: After you save a token rule for decrypting tokens that use asymmetric
encryption, the JSON web key set URI field exposes the public
key endpoint for retrieving the public key.
-
For Asymmetric signatures only: To suppress the key ID
header, select the Suppress generation of Key ID (kid) header
check box.
-
For JWE content encryption, in the JSON Web Encryption (JWE)
section, select either Asymmetric or
Symmetric
-
In the Token lifetime section, complete the following
steps.
-
In the Valid till (in seconds) field, specify the number of
seconds that the token remains valid after the token is issued. The default value is
900 seconds.
-
In the Processed not before (in seconds) field, enter the
time before which the receiver of the JWT cannot use the token. The default coded in
value for this field is 0 seconds.
-
Click Save.
-
If you want to add a processing profile to this generation JWT profile, in the
Advanced section, select Process generated
token.
-
Click the Processing tab.
Based on the token generation profile configuration,
some
sections and fields automatically fill.