Get Signed JWT
The Get Signed JWT task is used to sign a JWT (JSON Web Token).
Using the RS256 algorithm, the task ensures robust cryptographic security during JWT signing. The resulting token effectively encapsulates specified authorization scopes and incorporates a TTL (time-to-live) mechanism to enforce its expiration, thereby maintaining secure access control.
Task parameters
Configure these parameters for the Get Signed JWT task.
| Parameter | Description | Required/ Optional |
|---|---|---|
| inputParameters. subject | The subject of the JWT, typically representing the entity (e.g., user or service) for which the token is issued. | Required. |
| inputParameters issuer | The entity issuing the JWT, identifying who created and signed the token. | Required. |
| inputParameters. privateKey | The private key used to sign the JWT. This key needs to be in PKCS#8 format. | Required. |
| inputParameters. privateKeyId | The identifier for the private key used to sign the JWT. | Required. |
| inputParameters. audience | The intended recipient(s) of the JWT. | Required. |
| inputParameters. ttlInSeconds | The time-to-live (TTL) or expiration time of the JWT, specified in seconds. | Required. |
| inputParameters. scopes | The scopes associated with the JWT, defining the access permissions granted by the token. It can be a string or an array of strings. | Required. |
| inputParameters. algorithm | The signing algorithm to use for the JWT. Currently set to RS256, which refers to the RSA signature with the SHA-256 hash algorithm. | Required. |
The following are generic configuration parameters that can be applied to the task and are not specific to the Get Signed JWT task.
Caching parameters
You can cache the task outputs using the following parameters. Refer to Caching Task Outputs for a full guide.
| Parameter | Description | Required/ Optional |
|---|---|---|
| cacheConfig.ttlInSecond | The time to live in seconds, which is the duration for the output to be cached. | Required if using cacheConfig. |
| cacheConfig.key | The cache key is a unique identifier for the cached output and must be constructed exclusively from the task’s input parameters. It can be a string concatenation that contains the task’s input keys, such as ${uri}-${method} or re_${uri}_${method}. | Required if using cacheConfig. |
Schema parameters
You can enforce input/output validation for the task using the following parameters. Refer to Schema Validation for a full guide.
| Parameter | Description | Required/ Optional |
|---|---|---|
| taskDefinition.enforceSchema | Whether to enforce schema validation for task inputs/outputs. Set to true to enable validation. | Optional. |
| taskDefinition.inputSchema | The name and type of the input schema to be associated with the task. | Required if enforceSchema is set to true. |
| taskDefinition.outputSchema | The name and type of the output schema to be associated with the task. | Required if enforceSchema is set to true. |
Other generic parameters
Here are other parameters for configuring the task behavior.
| Parameter | Description | Required/ Optional |
|---|---|---|
| optional | Whether the task is optional. The default is false. If set to true, the workflow continues to the next task even if this task is in progress or fails. | Optional. |
Task configuration
This is the task configuration for a Get Signed JWT task.
{
"name": "get_signed_jwt",
"taskReferenceName": "get_signed_jwt_ref",
"inputParameters": {
"subject": "${workflow.input.subject}",
"issuer": "${workflow.input.issuer}",
"privateKey": "${workflow.secrets.jwt-privatekey}",
"privateKeyId": "key-123",
"audience": "${workflow.input.audience}",
"ttlInSeconds": 3600,
"scopes": "${workflow.input.scope}",
"algorithm": "RS256"
},
"type": "GET_SIGNED_JWT"
}
Task output
The Get Signed JWT task will return the signed JWT in the secret variable _secrets. The signed JWT will be masked (***).
Adding a Get Signed JWT task in UI
To add a Get Signed JWT task:
- In your workflow, select the (+) icon and add a Get Signed JWT task.
- Enter the Subject and Issuer of the JWT.
- Provide the PrivateKey and PrivateKeyId used for signing JWT.
- Set the Audience, TTL (in seconds), Scopes, and Algorithm as required.
Examples
Here are some examples for using the Get Signed JWT task.
Authorization
{
"name": "get_signed_jwt_token",
"taskReferenceName": "get_signed_jwt_token_ref",
"inputParameters": {
"privateKey": "${workflow.secrets.gcp_private_key}",
"privateKeyId": "${workflow.secrets.gcp_private_key_id}",
"audience": "https://oauth2.googleapis.com/token",
"ttlInSecond": 3600,
"scopes": [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/documents",
"https://www.googleapis.com/auth/drive"
],
"subject": "service-account-name@project-id.iam.gserviceaccount.com",
"issuer": "service-account-name@project-id.iam.gserviceaccount.com"
},
"type": "GET_SIGNED_JWT"
}