Skip to content

Authenticate a user for the Dashboard via SSO using JWE

Jump to bottom
Sredny M. edited this page Nov 5, 2024 · 2 revisions

Since TIB 1.6.0, JWE is compatible with OIDC. To get started, simply enable it and specify the private key file. You can use the following profile as a starting point:

{
  "ID": "my-JWE-profile",
  "OrgID": "{ORGID}",
  "ActionType": "GenerateOrLoginUserProfile",
  "Type": "redirect",
  "ProviderName": "SocialProvider",
  "ProviderConfig": {
    "CallbackBaseURL": "{TIB-HOST}",
    "FailureRedirect": "{DASHBOARD-HOST}/?fail=true",
    "JWE": {
      "Enabled": true,
      "PrivateKeyLocation": "{private/key/path/or/cert-id.pem}",
    },
    "UseProviders": [
      {
        "DiscoverURL": "{IDP-.well-known/openid-configuration}",
        "Key": "{client-id}",
        "Secret": "{client-s3cr3t}",
        "Name": "openid-connect",
        "Scopes": [
          "openid",
          "email"
        ]
      }
    ]
  },
  "IdentityHandlerConfig": {
    "DashboardCredential": "{DASH-CREDENTIALS}"
  },
  "ReturnURL": "{DASBOARD-HOST}/tap"
}

To use JWE in Tyk Identity Broker (TIB), you need to load a certificate that contains both the public certificate and the private key. Here’s how to properly prepare and load the certificate:

Certificate Format PEM Format: The certificate must be in PEM format, which includes:

  • The public certificate section, starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.
  • The private key section, starting with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY-----.
  • Combined Certificate: Both sections should be included in a single file, meaning you’ll concatenate the public certificate and the private key into one PEM file.
Clone this wiki locally