Configure JSON Web Token (JWT) Providers

An access token is a security key issued by an authorization server to provide access to Web APIs and other protected resources.

To access a resource that uses JWT token authentication, you need to register the connection settings for that resource's authentication provider in the web.config file. Once the provider is set up, you can refer it in your server-side scripts to retrieve an access token for the supported resources.

To register a JWT authentication provider, add the following key to the <appSettings> node in the web.config file.

Copy

<appSettings>
   ...
   <!-- Token provider configuration using client secret -->
   <add key="feature-jwt-token-provider-a" value="{
    'name': 'a',
    'type': 'azure-ad-provider',
    'scopeForAccessToken': 'api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/.default',
    'instance': 'https://login.microsoftonline.com/',
    'tenantId': 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy',
    'clientId': 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz',
    'timeout': 10000,
    'clientSecret': '~xyzxyz-xxxxxxxxxx-yyyyyyyyy-zzz~x'
}"/>


   <!-- Token provider configuration using client certificate -->
   <add key="feature-jwt-token-provider-b" value="{
    'name': 'b',
    'type': 'azure-ad-provider',
    'scopeForAccessToken': 'api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/.default',
    'instance': 'https://login.microsoftonline.com/',
    'tenantId': 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy',
    'clientId': 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz',
    'timeout': 10000,
    'clientCertificate': {
        'storeName': 'My',
        'storeLocation': 'CurrentUser',
        'thumbPrint': 'xyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyz',
        'description': 'Client certificate for wso2-devel',
        'checkValidity': false
    }
}"/>

</appSettings>

For each key, you must provide a programmatic name, preceded by the feature-jwt-token-provider- prefix. The programmatic name must also match the name property provided in the key's value. For instance, in the example above, the name of the providers are going to be a and b respectively.

The value is provided in JSON format and must be XML escaped. For simpler scenarios you can use single quotes instead of double quotes, as exemplified above.

The following properties are generic and apply to all authentication providers:

Property	Description
`name` (required)	The provider's name. The value has to be unique in the provider keys registry collection.
`type` (required)	The type of provider. Currently, only the Azure Active Directory token provider is supported, so the only valid value is `azure-ad-provider`. More authentication providers may become available in the future.
`timeout` (optional)	The service timeout in milliseconds, indicating for how long the application should wait for the token to be generated. Default value: 10000 (10 seconds).

In addition to the generic properties, you must also provide settings that are particular to each authentication provider, in accordance with their specifications. Currently, only Azure Active Directory is supported, with additional providers to be potentially added in the future. For Azure Active Directory, the following properties apply:

Property	Description
`scopeForAccessToken` (required)	Azure AD scope for which the access is requested.
`instance` (required)	Azure AD instance name.
`tenantId` (required)	Azure AD tenant ID.
`clientId` (required)	Azure AD client ID.
`clientSecret`	The application client secret used to retrieve the access token. The property is mutually exclusive with `clientCertificate`, but one of them must be set. The client secret must exist in the targeted Azure AD instance.
`clientCertificate`	The certificate used to retrieve the access token. The property is mutually exclusive with `clientSecret`, but one of them must be set. The certificate should be registered in the targeted Azure AD instance. For more information about client certificates, see Register TLS Client Certificates.

Usage in server-side scripts

To retrieve a JWT access token in a server-side script, use the getJwtTokenByProviderName function in the code editor. For example:

Copy

var myToken = getJwtTokenByProviderName('a')

For more information, see the Server SDK Reference Guide.