Token Issuers

Grid validates tokens issued by multiple token issuers within the same installation. Each token issuer has its own configuration in Grid. If a token issuer uses more than one 'iss' claim value in its tokens, you must create a separate configuration for each approved issuer value.

Grid uses the ''iss'' claim in id-tokens to determine the validation process and subsequent handling of the token once it is validated.

Token issuer configuration properties

Table 1. Metadata properties
Property Required Description
Name Yes Use a short, descriptive, and unique name for each configuration. This name appears in tabs on the left side of the page.
Well-known URI Yes Enter the URL that points to the openid-configuration JSON document.
Issuer Yes The value of the 'iss' claim in the tokens that the Grid receives.
Validate Toke Issuer No When this option is checked, validation checks that the 'iss' claim value matches the issuer field in the well-known openid-configuration. By default, this option is true, ensuring that the 'iss' claim matches the metadata issuer.
Principal Name Claim Yes This is the name of the token claim used as a unique user identifier.
Display Name Claim No The name of the token claim used as the display name for the principal in the request. If not specified, it defaults to the value of the Principal Name Claim.
Tenant Claim No The name of the token claim to use as the tenant value for the principal in the request. If this property is not set, the resulting principal will not have a tenant value.
Role Claim No The name of the token claim that serves as the roles for the principal in the request. If not specified, the principal will not be assigned any roles.
Time skew The maximum permitted time skew (in seconds) for when validating token expiration. The default value is 30 seconds.
Fallback Signature Algorithm No The fallback signature algorithm for token signature validation. This is necessary only if the openid-configuration metadata does not include 'id_token_signing_alg_values_supported'. The default is RS512 if not set.
Require Audience No Set if the 'aud' claim is required in the token.
Audience No If set, the 'aud' claim in the token must match this property's value to become valid.
Endpoint Trust Yes Select Custom for certificate pinning, which provides higher security, or choose CA Certs to use the Java runtime's certificate trust store (cacerts).

Endpoint Trust

Certificate Data

No

The certificates needed for Grid to establish trust with the metadata endpoint and the jwks endpoints.

Required when the Endpoint Trust is set to Custom.

Table 2. Role Mappings properties
Property Required Description
Role Mapping Mode No Select from MAP, PASSTHROUGH, or PASSTHROUGH_ADMIN modes.
  • MAP: Configure explicit role mappings from the Role Claim. Each source role in the Role claim can be mapped to a list of Grid or Grid application roles.
  • PASSTHROUGH: Assign all roles from the Role Claim and set them as roles in the Grid Principal, excluding administrative roles.
  • PASSTHROUGH_ADMIN: This mode assigns all values from the Role Claim to the Grid Principal without filtering out any roles.

The default value is MAP but with no mappings.

Role Mapping No

This setting applies only when Role Mapping Mode is set to MAP.

Configure a list of Grid and Grid-application roles to map to specific roles from the token's Role Claim.

If the Role Claim includes multiple roles, map each role individually.

The resulting role set combines all roles mapped from each role in the token's Role Claim.

Table 3. Service Permissions properties
Property Required Description
Add service No

This property maps request URI paths to service names. It is necessary for enabling impersonation of JWT-based sessions in Grid but optional otherwise.

Grid allows impersonation headers based on this mapping and the existence of the run-as claim in the authorization claim's permissions. Impersonation is allowed only if the service identified by the path mapping has the "run-as" permission.

See Infor Ming.le Authorization Service documentation for details.