PlainID supports returning authorization decisions as signed JWTs, enabling secure and verifiable responses from the Policy Decision Point (PDP). To enable this capability, the PDP retrieves a private signing key through the Secret Management Service, and additional configuration is required at both the Policy Authorization Agent (PAA) and Policy Administration Point (PAP) levels.
The following sections describe how to configure these settings, including defining the key source and customizing the attributes of the signed JWT response.
Scope Level Configuration
In addition to configuring the Secret Management Service and Secret Store in the Policy Authorization Agent (PAA), additional settings relating to JWT need to be configured in the PlainID Policy Administration Point (PAP).
JWT Sign In Settings
This section includes the relevant configuration attributes for obtaining the private key used to sign the PlainID Policy Decision Point (PDP) JWT.
| Attribute | Description | Behavior |
|---|---|---|
| Secret Store | The ID of the Secret Store to use (PAA can use multiple Secret Stores). | If no Secret Store is defined, the default secret store (where default=true) will be used. If a value is specified, the specified Secret Store will be used. |
| Path to Key | Define the path to the key location in the vault (relevant only for Secret Stores of type vault, not applicable for File or Environment Secret Stores). | If not specified, the details.defaultPath from the Secret Store configuration will be used. |
| Key Name | Define the name of the key in the vault (relevant only for Secret Stores of type vault, not applicable for File or Environment Secret Stores). | If not defined, the PlainID Scope ClientID is used as the Key Name. |
JWT Response Settings
JWT Response Attribute Settings
| Attribute | Description |
|---|---|
| Audience | The value to include in the aud claim. |
| X509 Certificate | The public X.509 certificate that is published in the PDP JWKS URL. This allows the consumer of the PDP decisions to validate the PDP Signed JWT. The child of the X.509 Certificate in the JWKS is the ClientID of the PlainID ScopeSample JWKS URL. |
| Token Lifetime - EXP (Seconds) | The token lifetime expiration in seconds. |