External JWT Signers
External JWT Signers allow external identity providers to facilitate authentication with a Ziti network. External JWT Signers can be added as a static x509 certificate or via a JWKS endpoint. Authenticating clients can provide a JWT as a primary authentication mechanism to obtain an API Session. Additionally, the JWT can be required on all REST API calls if desired by using an Authentication Policy that requires it as a secondary factor.
JWT is described in RFC 7519 and on Wikipedia. X509 PKI is described in RFC 5280 an on Wikipedia
Usage
External JWT Signers are used in conjunction with Authentication Policies to allow identities to authenticate using a
JWT. External JWT Signers can be configured to match an identity through the claimsProperty
and useExternalId
fields. claimsProperty
can change which field in the JWT is matched to the id
or externalId
on an identity.
useExternalId
when true will match the claimsProperty
to an identity's externalId
field. If false, it will match
to the id
field.
Note: externalId
values on identities are enforced to be unique.
claimsProperty
can contain JWT standard claims or private claims. An example usage would be an email
JWT private
claim and Ziti identities with externalId
set to email addresses.
x509 Certificate
If the JWT provider has a static x509 certificate, it is possible define an External JWT Signer using the PEM encoded public certificate of the signer. If the JWT provider has JWKS endpoint support it is strongly recommended to create an External JWT Signer using the JWKS endpoint. External JWT Signers configured with a static x509 certificate will need maintenance during key rotation and certificate expiration. For these operations the Edge Management API can be used for external automation.
JWKS Endpoint
JSON Web Key Sets (JWKS) is defined in RFC7517 Section 5 and is used by many popular IdPs (Auth0, Okta) in order to enable external JWT verification. External JWT Signers configured with a JWKS endpoint allows an identity provider to rotate keys and bridge signer certificate expiration windows.
JWT Validation
External JTW Signers are used to validate JWTs for authentication. This validation requires the following:
- the
iss
field on the JWT must match theissuer
field on the External JWT Signer - the
aud
field on the JWT must match theaudience
field on the External JWT Signer - the
sub
or field defined byclaimsProperty
must match theid
field on an identity (orexternalid
ifuseExternal
is true) - the JWT must be signed by the x509 certificate or a JWK from the JWKS endpoint defined on the External JWT Signer
- the JWT
kid
must match the External JWTkid
field for x509 certificates or thekid
in a JWKS response - the JWT must not be expired
Creation
An External JWT Signer that uses a private email
claim and matches on externalId
with a JWKS endpoint can
be created as follows:
POST /edge/management/v1/ext-jwt-signers
{
"name": "My External JWT Signer",
"enabled": true,
"issuer": "my-issuer",
"audience": "my-audience",
"jwksEndpoint": "https://example.com/.well-known/jwks.json",
"claimsProperty": "email",
"useExternalId": true
}
An External JWT Signer that uses the sub
claim and matches on id
with a x509 certificate can
be created as follows:
POST /edge/management/v1/ext-jwt-signers
{
"name": "My External JWT Signer",
"enabled": true,
"issuer": "my-issuer",
"audience": "my-audience",
"kid": "2gh80220",
"certPem": "-----BEGIN CERTIFICATE-----\nMII...\n-----END CERTIFICATE-----\n"
}
External Authentication URL & Client Authentication
Unauthenticated clients can enumerate External JWT Signers that have an externalAuthUrl
property. Clients will
receive the name of the External JWT Signer and the externalAuthUrl
only. This information can allow clients
to initiate client authentication to the target identity provider.
Example Client External JWT Signer response:
GET /edge/client/v1/external-jwt-signers
{
"data": [
{
"_links": {
"self": {
"href": "./external-jwt-signers/eZjzX3U1u"
}
},
"id": "eZjzX3U1u",
"name": "my-ext-jwt-signer",
"externalAuthUrl": "https://my-site/authenticate"
}
],
"meta": {}
}