Properties
To enable Extended JWS Authorizer for the worker, use the following class:
AUTHTYPE=com.czertainly.signserver.module.extendedjws.ExtendedJwsAuthorizer
The following properties are available to be configured:
| Property | Description | Default Value | Mandatory |
|---|---|---|---|
| SERVER.N.ISSUER | Issuer of the JWS. It must match the iss claim contained in the JWS. Several authorization servers can be configured based on the number N that links different authorization servers configurations. | NONE | YES |
| SERVER.N.PUBLICKEY | Base64 encoded associated public key with the authorization server that is used to validate JWS signature. The public key is matched with the issuer based on the number N. | NONE | YES |
| SERVER.N.KEYALGORITHM | Public key algorithm. The algorithm is matched with the associated public key based on the number N. Currently supported algorithms are:
| RSA | NO |
| SERVER.N.DESCRIPTION | Description of authorization server for identification. | NO | NO |
| JWS.N.CLAIM.NAME | Defines the claim name that must be present in the JWS for authorization. When the claim name is not available, user is unauthorized. | NONE | Must be present when JWS.N.CLAIM.VALUE is present. |
| JWS.N.CLAIM.VALUE | Value of the associated claim name that must match. If the value of the claim does not match, user is unauthorized. | NONE | Must be present when JWS.N.CLAIM.NAME is present. |
| MAX_ALLOWED_CLOCK_SCEW | Sets the amount of clock skew in seconds to tolerate when verifying the local time against the exp and nbf claims in JWS. The value in seconds. | 300 | NO |
| ACCEPTED_AUDIENCES | Comma separated list of accepted audiences that are checked against the intended audiences from the claim of the JWS. If the JWS has an audience, it must match a one of the audience configured, otherwise the user is not authorized. | NONE | NO |
| CLAIMS_TO_CONTEXT | When true, all claims from the JWS are added into the RequestContext and can be used further in the signing process. | false | NO |