OAuth Authentication - JWT Access Tokens

By default, OAuth access tokens are created as opaque identifiers. There is also the option to generate JWTs as access tokens on a per-service basis:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{
    "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
    "clientId": "clientid",
    "clientSecret": "clientSecret",
    "serviceId" : "^(https|imaps)://<redirect-uri>.*",
    "name" : "OAuthService",
    "id" : 100,
    "jwtAccessToken": true,
    "properties" : {
      "@class" : "java.util.HashMap",
      "accessTokenAsJwtSigningKey" : {
         "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
         "values" : [ "java.util.HashSet", [ "..." ] ]
      },
      "accessTokenAsJwtEncryptionKey" : {
           "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
           "values" : [ "java.util.HashSet", [ "..." ] ]
      },
      "accessTokenAsJwtSigningEnabled" : {
         "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
         "values" : [ "java.util.HashSet", [ "true" ] ]
      },
      "accessTokenAsJwtEncryptionEnabled" : {
         "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
         "values" : [ "java.util.HashSet", [ "true" ] ]
      },
      "accessTokenAsJwtCipherStrategyType" : {
         "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
         "values" : [ "java.util.HashSet", [ "ENCRYPT_AND_SIGN" ] ]
      }
    }
}

Signing and encryption keys may also be defined on a per-service basis, or globally via CAS settings.

The following properties are available and recognized by CAS for various modules and features:

Name Default Value Type Group
oidcResponseModeAsJwtCipherSigningEnabled true BOOLEAN JWT_ACCESS_TOKENS
oidcResponseModeAsJwtCipherEncryptionEnabled true BOOLEAN JWT_ACCESS_TOKENS
accessTokenAsJwtSigningKey STRING JWT_ACCESS_TOKENS
accessTokenAsJwtCipherStrategyType ENCRYPT_AND_SIGN STRING JWT_ACCESS_TOKENS
accessTokenAsJwtSigningEnabled true BOOLEAN JWT_ACCESS_TOKENS
accessTokenAsJwtEncryptionEnabled false BOOLEAN JWT_ACCESS_TOKENS
accessTokenAsJwtEncryptionKey STRING JWT_ACCESS_TOKENS