External JWT Identity Provider

    Overview

    The External JWT Identity Provider is not intended to provide a login button in FusionAuth. Instead, this configuration is intended for use with the JWT Reconcile API.

    Using this identity provider allows you to authenticate with a third party that can provide you a JSON Web Token (JWT). Then you may take this JWT and send it to FusionAuth to reconcile the user. The reconcile process is essentially logging that user into a particular FusionAuth application.

    The configuration for this identity provider allows you to configure some claim mapping from the third party JWT to the FusionAuth user, and it will require one or more keys that will allow FusionAuth to verify the signature of the third party JWT. These keys will be added to the Verification Keys section documented below.

    This external JWT Identity Provider flow is not compatible with the hosted login pages. This integration is accessible through our API only.

    Additionally, if you are integrating with any of the identity providers for which there is a provided Identity Provider integration (whether specific like Facebook or generic like OIDC), prefer those options over this provider.

    In general, you should use the /api/identity-provider/login endpoint of another Identity Provider rather than the External JWT provider if one is available.

    If you are looking to add a login button to FusionAuth for users to authenticate against a third party identity provider, this is not the configuration you’re looking for, move along.

    Create an External JWT Identity Provider

    To create an Identity Provider navigate to Settings → Identity Providers and click Add provider and select External JWT from the dialog. This will take you to the Add panel, and you will need to fill out the required fields.

    Add External JWT

    Form Fields

    Id Optional

    An optional UUID. When this value is omitted a unique Id will be generated automatically.

    Name Required

    A unique name to identify the identity provider. This name is for display purposes only and it can be modified later if desired.

    Reconcile lambda Optional Available since 1.17.0

    A lambda may be utilized to map custom claims from the JWT. This may be used in addition to, or in place of the claim mapping on the JWT tab.

    To configure a lambda, navigate to Customizations → Lambdas.

    Debug enabled Optional default is false

    Enable debug to create an event log to assist you in debugging integration errors.

    Applications

    To enable this identity provider for an application, find your application name in the table. You will always see the FusionAuth application, this application represents the FusionAuth user interface. If you wish to be able to log into FusionAuth with this provider you may enable this application.

    In the above screenshot, you will see that we have enabled this login provider for the Pied Piper application and enabled Create registration. Enabling create registration means that a user does not need to be manually registered for the application before using this login provider.

    For example, when a new user attempts to log into Pied Piper using this identity provider, if their user does not exist in FusionAuth it will be created dynamically, and if the Create registration toggle has been enabled, the user will also be registered for Pied Piper and assigned any default roles assigned by the application.

    If you do not wish to automatically provision a user for this Application when logging in with PiedPiper, leave Create registration off and you will need to manually register a user for this application before they may complete login with this provider.

    JWT

    This configuration is necessary to allow FusionAuth to properly inspect the third-party JWT once the signature has been verified.

    Add External JWT

    Form Fields

    Unique claim Required

    This value is the name of the claim in the third-party JWT where FusionAuth can find the user’s email address. The email address will be used in FusionAuth to uniquely identify a user.

    This field defaults to email, this is likely the correct claim name.

    Header key identifier Required

    This value is the name of the claim in the third-party JWT header FusionAuth can find the identifier used to indicate which key pair was used to generate the JWT signature. This allows FusionAuth to use the correct key if more than one key is provided in the Verification Keys configuration.

    This field defaults to kid, this is a common identifier used in the JWT header to identify the key used to generate the signature.

    Add Claim Mapping Dialog

    If you click on the Add Claim button on this page you will be presented with the following dialog.

    Add Claim Mapping

    Form Fields

    Incoming claim Required

    The name of the claim in the third-party JWT that you would like to map to a FusionAuth user claim

    FusionAuth claim Required

    The FusionAuth user claim to receive the value of the specified claim in the third-party JWT. If you select the special values UserData or RegistrationData the value will be stored in either the user or registration data with the key being the claim name.

    For example, if you select company as the incoming claim, and specify RegistrationData, the claim will be stored in the registration data for the corresponding application. 

    
{
 "registration": {
   "data": {
    "company": "Acme. Corp"
   }
 }
}

    Managed Domains

    To successfully reconcile a JWT to FusionAuth using this identity provider, you can optionally specify one more managed domains. A managed domain will indicate to FusionAuth this identity provider can reconcile a user based upon their email address.

    For example, if a user’s email address is jared@piedpiper.com, in order for a JWT owned by Jared to be reconciled to FusionAuth using this identity provider, piedpiper.com could be configured as a managed domain. You may leave this blank. If you do so, then any email can be used with this identity provider. This is helpful if you are not certain which email domains your users will have.

    A domain may only be managed by a single identity provider. More than one domain may be added per identity provider.

    Add External JWT

    Form Fields

    Managed domains Optional

    This identity provider may only be used to reconcile a user that has an email address that matches a configured domain. If you do not know which domains you would like to manage, you may leave this empty for now and return and add them later.

    If you would like to add more than one domain, use a separate line per domain.

    These configured domains will be used by the Lookup API and the Reconcile API.

    Verification Keys

    For FusionAuth to use this identity provider to reconcile third-party JWTs, you will need to provide one or more verification keys. This key will likely be an X.509 public certificate or other PEM encoded public key that may be used to verify the JWT signature.

    Add External JWT

    Add Key Dialog

    If you click on the Add Key button on this page you will be presented with the following dialog.

    Add Verification Key

    Form Fields

    Default key Defaults to false

    Optionally a single key may be designated as the default key. You may use this feature if the JWT you will be sending to FusionAuth to be reconciled will not have a key identifier kid value in the JWT header.

    In this scenario, there will be no kid to indicate which key was used to sign the JWT, so if a default key has been designated, the default key will be used to verify the signature.

    If you only have JWTs with the kid claim, or another key identifier, you will not use this feature. When this toggle is enabled, the Key identifier field will be disabled and no longer required.

    Key identifier required

    The string identifier for this key. If this is an X.509 certificate you may leave this field blank and the X.509 certificate thumbprint will be generated for you.

    If this is a normal PEM encoded RSA public key, for example, you will need to provide the key identifier. This identifier should be the value that will be written to the kid header of the JWT provided by the external identity provider.

    Encoded key required

    The PEM encoded key may be an X.509 certificate or other PEM encoded public key.

    OAuth

    The OAuth configuration is not a functional part of this identity provider. Instead, it is provided for convenience only.

    If you review the API response of the Lookup API you will notice it returns these two values. You may use these values then at runtime to identify where to redirect the user to complete authentication.

    Add External JWT

    Form Fields

    Authorization endpoint Optional

    The URL of the OAuth 2.0 Authorization endpoint in use by the third party identity provider that will be providing the third-party JWT.

    Token endpoint Optional

    The URL of the OAuth 2.0 Token endpoint in use by the third party identity provider that will be providing the third-party JWT.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    Have a question or comment to share?

    Visit the FusionAuth community forum.