Configuring JWT authentication

The NAV API supports authentication with JSON Web Tokens (JWT). JWT issuers that your NAV instance should accept tokens from can be configured in jwt.conf. The public key for the issuer is required, and can be configured either directly as a PEM file or via a JWKS endpoint.

A configuration for two issuers may look like this:

[https://jwt-issuer1.no] # Name of issuer matching `iss` claim of issued tokens
aud=https://mynav.no # Expected value of the `aud` claim in issued tokens
keytype=JWKS # JWKS endpoint is used as source for public key
key=https://jwt-issuer1.no/jwks # URL to JWKS endpoint

[https://jwt-issuer2.no]
aud=https://mynav.no
keytype=PEM # PEM file is used as source for public key
key=/some/path/public_key.pem # Path to PEM file

Other issuers may be defined by adding additional sections of the same format. It is important to note that the section names must match the iss claim of the tokens generated by this issuer. This is how NAV maps an incoming token to the correct configuration.

Likewise aud must match the aud claim of the tokens. This is a security measure to make sure a NAV instance only accepts tokens meant for it. Otherwise the NAV instance would accept all JWT tokens generated by an issuer. In other words, anyone using the same token issuer could generate tokens and gain access to your NAV instance.