This space is deprecated and no longer supported. Please use the latest available version here.
JWT Authorization
- Chris Michael
- David Plews
This document sets out how a requestor should construct a jwt-auth header and how a receiver must validate the header.
1. Requirements for the requestor
1.1 Publication of signing keys on a JWKS
The requestor must publish the URL of the JWKS that must be used to verify messages to the receiver.
The JWKS must be publicly accessible over HTTPS.
The requestor must use an asymmetric RSA key of 2048 bits or more.
The requestor must ensure that the JWKS must have at least one signing key published. The key must have a unique
kidon the JWKS.When publishing a new key, the requestor must wait for 10 minutes before issuing a message with the key (to allow the receiver’s caches to refresh).
1.2 Creating the authorisation header
The requestor must ensure that the machine on which the signature is generated uses NTP to synchronise its clock.
The requestor must construct the header and payload for the JWT as specified in JWT Authorization | 3. JWT Auth Claims Reference .
The JWT must be signed using the
PS256algorithm using a private key whose public part has been published on the JWKS.The JWT must be included as a
bearertoken in theauthorizationhttp header.The https request must be made over mutual tls. The client certificate used to initiate the mutual tls session must have a
DNandOUthat matches the values placed in the signature.
2. Requirements for the receiver
2.1 Verifying the authorisation header
The receiver must ensure that the machine on which the signature is verified uses NTP to synchronise its clock.
The receiver must ensure that the request was received over a mutual tls connection.
The receiver must extract the jwt-auth token from the
authorizationhttp header.The JWT must verify the signature on the JWT using the
kidspecified in the JWS and the JWKS pre-specified by the sender.The receiver may cache the JWKS for up to ten minutes.
The receiver must verify each of the claims in the JWT has the expected value specified in JWT Authorization | 3. JWT Auth Claims Reference
3. JWT Auth Claims Reference
3.1 Header
Claim Name | Expected Value | Mandatory | Notes |
alg |
| Yes |
|
typ |
| Yes |
|
cty |
| Yes |
|
kid | The key ID of key-pair used to sign the message as published on the JWKS. | Yes | The specification does not support the use of other means of identifying the key as they are not considered to be secure enough (e.g. |
3.2 Body
Claim Name | Expected Value | Mandatory | Example value for JWT issued by Ozone | Notes |
iss | The organization | Yes |
| For a certificate with |
sub | The organization unit | Yes |
| For a certificate with |
aud | Identifier for the party receiving the JWT. | Yes |
| This must be set to the PROVIDER_ID specified by Ozone during configuration. |
exp | Time when the JWT will expire in UTC seconds since epoch. | Yes | 30 | We recommend an expiry time of 10-30s. When validating the JWT, allow for a 10s clock skew. The JWT is considered invalid if the current time is greater than this value. |
iat | Time when the JWT was issued in UTC seconds since epoch. | Yes |
| When validating the JWT, allow for a 10s clock skew. The JWT is considered invalid if the current time is less than this value. |
nbf | Time before which the JWT is invalid. | No |
| When validating the JWT, allow for a 10s clock skew. The JWT is considered invalid if the current time is less than this value (when specified). |
jti | A unique identifier for the JWT. | Yes |
| We recommend that the requestor populates this value with a uuidv4. This increases the entropy for the JWT. |
© Ozone Financial Technology Limited 2024-2025
Ozone Non Commercial Software EULA
Please try out our Advanced Search function.