Integration
Hide about this portal


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Submitted
Workspace App Connect
Created by Guest
Created on Feb 4, 2025

RELATED IDEAS

JWKS Token Verification Support in IBM App Connect v12-v13

See this idea on ideas.ibm.com

We would like to request the addition of JWKS (JSON Web Key Set) token verification support in IBM App Connect v12-v13. This feature is crucial for integrating with modern authentication and authorization mechanisms, particularly within OAuth2 and OpenID Connect-based environments.

IBM MQ has this feature: https://community.ibm.com/community/user/integration/blogs/vasily-shcherbinin1/2024/06/19/introducing-jwks

Feature Description

IBM App Connect v12 should be enhanced to support JWT (JSON Web Token) verification using JWKS (JSON Web Key Set). This would allow App Connect to dynamically retrieve public keys from an OpenID Connect-compliant authorization server and validate JWTs accordingly.

Currently, App Connect supports JWT authentication, but lacks automatic JWKS handling, which means public keys must be manually configured. By implementing JWKS support, App Connect could automatically retrieve, cache, and refresh public keys from a JWKS endpoint (e.g., https://auth.example.com/.well-known/jwks.json), significantly improving security and maintainability.

Required Capabilities

  1. JWKS Endpoint Retrieval

    • App Connect should be able to fetch public keys from a configurable JWKS URL.

    • It should periodically refresh the keys to accommodate key rotation policies set by the identity provider (IdP).

  2. JWT Signature Verification

    • Support for RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384, ES512) algorithms, as per RFC 7518.

    • Verify the JWT’s signature using the corresponding public key from the JWKS set.

    • Support for kid (key ID) selection to identify the correct key within the JWKS response.

  3. JWT Claims Validation

    • Support for validating the issuer (iss), audience (aud), and expiration (exp) claims.

    • Allow configurable validation rules via policy definitions or environment variables.

  4. Key Caching & Rotation Handling

    • Implement a caching mechanism to store retrieved keys and minimize unnecessary network requests.

    • Support automatic key rotation detection to handle cases where old keys are deprecated.

  5. Integration with OpenID Providers

    • Ensure compatibility with OpenID Connect-compliant identity providers, such as Keycloak, Okta, Auth0, Azure AD, Ping Identity, etc.

    • Reference OpenID Connect specifications:

  6. Configuration Flexibility

    • The ability to configure JWKS verification via environment variables, properties files, or UI settings.

    • Options for manual key override in case of connectivity issues with the JWKS endpoint.

Business and Security Justification

  • Improved Security: By supporting JWKS, App Connect will ensure that tokens are always validated against the latest public keys, reducing security risks from manual key management.

  • Compliance with Industry Standards: Many security frameworks, including FAPI (Financial-grade API), Open Banking, and Zero Trust architectures, mandate the use of JWKS-based authentication.

  • Reduced Operational Overhead: Automating key retrieval eliminates the need for frequent manual updates, streamlining system administration.

  • Enhanced Compatibility: This feature ensures seamless integration with modern cloud-native and microservices architectures using OpenID Connect-based authentication.

References

Idea priority High

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.