WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
OAuth Authentication - JWT Access Tokens
By default, OAuth access tokens are created as opaque identifiers. There is also the option to generate JWTs as access tokens on a per-service basis:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "clientid",
"clientSecret": "clientSecret",
"serviceId" : "^(https|imaps)://<redirect-uri>.*",
"name" : "OAuthService",
"id" : 100,
"jwtAccessToken": true,
"properties" : {
"@class" : "java.util.HashMap",
"accessTokenAsJwtSigningKey" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "..." ] ]
},
"accessTokenAsJwtEncryptionKey" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "..." ] ]
},
"accessTokenAsJwtSigningEnabled" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
},
"accessTokenAsJwtEncryptionEnabled" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
},
"accessTokenAsJwtCipherStrategyType" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "ENCRYPT_AND_SIGN" ] ]
}
}
}
Signing and encryption keys may also be defined on a per-service basis, or globally via CAS settings.
The following properties are available and recognized by CAS for various modules and features:
Name | Default Value | Type | Group |
---|---|---|---|
oidcResponseModeAsJwtCipherSigningEnabled
|
true
|
BOOLEAN
|
JWT_ACCESS_TOKENS
|
oidcResponseModeAsJwtCipherEncryptionEnabled
|
true
|
BOOLEAN
|
JWT_ACCESS_TOKENS
|
accessTokenAsJwtSigningKey
|
|
STRING
|
JWT_ACCESS_TOKENS
|
accessTokenAsJwtCipherStrategyType
|
ENCRYPT_AND_SIGN
|
STRING
|
JWT_ACCESS_TOKENS
|
accessTokenAsJwtSigningEnabled
|
true
|
BOOLEAN
|
JWT_ACCESS_TOKENS
|
accessTokenAsJwtEncryptionEnabled
|
false
|
BOOLEAN
|
JWT_ACCESS_TOKENS
|
accessTokenAsJwtEncryptionKey
|
|
STRING
|
JWT_ACCESS_TOKENS
|
accessTokenAsJwtEncryptionAlg
|
|
STRING
|
JWT_ACCESS_TOKENS
|