Skip to main content

Introduction

JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. JWS are used to exchange authentication and authorization information and identities between various systems supporting OAuth 2.0. Authorization server issues JWS after successful identity verification, and it is validated by the SignServer that acts as a resource server. JSON-based data structure contains claims to pass information about user and additional information that is required for authorization. The claims are digitally signed and can be verified with the public key and certificate of the resource server. The Extended JWS Authorizer allows having the authorization server separate from the SignServer application and provides eIDAS compliant authentication and authorization to signing and validation workers using multi-factor authentication (MFA).

info

The Extended JWS token provides authorization of the signing request and propagates valid claims information into the signing process that can use them in order to perform and configure some specific attributes of certificates.

Use case example

There are several authorization servers available compliant to JWS specification according RFC 7515 and this implementation has been tested according that. The following use case example outlines authenticating authorization server to obtain JWS, then used it in the request sent from the client to SignServer. The client in the following overview could, for example, be an mobile application communicating with a document management system or remote signing backend.

3Key RA Profiles

Authentication and authorization flow

StepNameDescription
1Public key of the authorization server distributionThe worker in SignServer is configured to trust the public key of the authorization server. Authorization rules matching claims of the JWS are also configured.
2Client or user sends the request to consume serviceThe user requests signing or validation services from signing backend.
3Authentication requestedThe signing backend request for authentication from authorization server providing details about the user’s authentication domain.
4Authorization server provides authentication contextThe authentication context for the user is provided.
5Authentication context forwarder to userThe user receives the authentication context that should be used in order to authenticate to the service from authorization server. Context is used by the user.
6Authentication of the userUser authenticates using credentials with the authorization server. When MFA is enabled, there may be multiple rounds in the authentication process.
7Producing JWSUpon successful authentication, the user receives the JWS from the authorization server.
8Forward JWSUser forwards the JWS as a proof of successful authentication and authorization for signing / validation request.
9Request to sign / validateThe request with the JWS is submitted to SignServer.
10Perform task and provide responseSignServer validates the JWS and its claims to perform the operation and provide a response to signing backend.
11ResponseUser receives response from SignServer.