Hi Vijay,
No, this is not what I meant. In the attached document is about step 1 where the client sends a JWT as a authorization bearer header.
The background is that when you develop an application it consists usually of a (angular) frontend that call several different API backend services. The frontend handles the OIDC flows (code grant or implicit) and receives in the end an ID-token and an Access token. To access the backend API's the frontend calls these backend API's with the Access token as an authorization bearer header and that authorizes API access.
Now, Siteminder provides the access token as an opaque token, which basically is a reference, a string of characters. It means that each API backend needs to call the introspection endpoint on the Siteminder Access Gateway to validate the access token e.g. expiration time. This could overflood the gateway and it requires availability.
What other vendors do, like KeyCloak and Okta, they provide the Access token as a JWT token, similar to the ID-token, that aleady contains all the information like expiration time, group memberships etc. It is a self-contained token. It means that each API backend does not need to call the introspection endpoint each time and it could even work in a offline mode.
Hence my question if Siteminder will provide this feature. The OIDC spec does not mandate any format of the access token but providing it as a JWT token provides lots of advantages.
Thanks,
Bert
Original Message:
Sent: 11-25-2019 03:03 PM
From: Vijay Masurkar
Subject: Access Token as JWT
Bert, Take a look at this, is this what you're looking for? Note that Single Sign-On authenticates JWTs either by generating an SMSESSION or without generating an SMSESSION.
JSON Web Token (JWT) Authentication Scheme
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/json-web-token-jwt-authentication-scheme.html
Take care.
Original Message:
Sent: 11-25-2019 04:54 AM
From: Bert de Roos
Subject: Access Token as JWT
Hi,
Are there any plans within Siteminder to provide the access token as a JWT token as more vendors do (like Okta, KeyCloak, ).
Thanks,
Bert