Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.2
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.2 Administration Guide
    8.0.2
    8.0.4
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Enhanced Mobile Token Verification in Web Protection Profile (8.0.0)

    Enhanced Mobile Token Verification in Web Protection Profile (8.0.0)

    FortiWeb 8.0.0 enhances support for mobile token authentication by expanding verification methods, streamlining configuration, and improving token parsing logic. These enhancements improve usability and increase compatibility with modern mobile application architectures.

    Streamlined Configuration and Expanded Token Verification Methods

    The Mobile Application Identification settings have been relocated from the Mobile section to the API Protection section of the Web Protection Profile. This reorganization aligns the configuration with its role in token-based client authentication and consolidates related controls for improved usability.

    FortiWeb now supports three verification methods for mobile tokens, selectable from the Mobile Application Identification field:

    • jwt-token-secret: Verifies tokens using a pre-shared secret (existing method).

    • jwt-public-key: Verifies tokens using a user-provided RSA public key.

    • jwks-endpoint: Retrieves verification keys from a remote JWKS (JSON Web Key Set) endpoint.

    Parameter Requirements for Each Method

    FortiWeb now supports three verification methods for mobile tokens.

    Method

    Parameter

    Description
    jwt-token-secret

    JWT Secret

    		 Accepts a symmetric signing key (HMAC). Used to verify the signature of the JWT using a shared secret.
    jwt-public-key

    JWT Public Key

    		 Accepts an RSA public key in PEM format. Enables asymmetric signature verification of incoming JWTs.
    jwks-endpoint

    JWKS Endpoint

    		 Accepts a URI pointing to a JSON Web Key Set (JWKS). FortiWeb retrieves and caches public keys for validating JWTs signed with asymmetric algorithms.

    These options enable integration with identity providers that use standards such as OAuth 2.0 and OpenID Connect.

    Improved Token Parsing

    FortiWeb now automatically ignores the "Bearer:" prefix when extracting tokens from HTTP request headers. If a valid JWT follows the prefix, FortiWeb proceeds with verification using the configured method. If the token is not a JWT, verification fails—preserving the original security posture.

    JWKS Certificate Caching

    When using JWKS-based verification, FortiWeb caches certificates locally to reduce lookup overhead:

    • Certificates are cached for 24 hours and checked every 5 minutes.

    • The cache supports up to 64 JWKS endpoints.

    • If a certificate retrieval attempt fails, the failure is cached to prevent repeated requests. FortiWeb will retry the retrieval after 5 minutes.

    Diagnostic CLI Tools

    Use the diagnose policy jwks-cache command to inspect or manage the local cache of public keys retrieved from JWKS (JSON Web Key Set) endpoints. This cache improves performance and reliability when verifying JWTs signed with asymmetric algorithms.

    • list – Displays the current JWKS certificate cache. Shows JWKS URIs, their status and referenced number. Useful for verifying which keys FortiWeb is using for JWT validation.

    • delete – Deletes a JWKS endpoint that is not referenced, to reduce repeated checks and updates. Useful for troubleshooting or testing key rotation.

    Previous
    Next

    Enhanced Mobile Token Verification in Web Protection Profile (8.0.0)

    Enhanced Mobile Token Verification in Web Protection Profile (8.0.0)

    FortiWeb 8.0.0 enhances support for mobile token authentication by expanding verification methods, streamlining configuration, and improving token parsing logic. These enhancements improve usability and increase compatibility with modern mobile application architectures.

    Streamlined Configuration and Expanded Token Verification Methods

    The Mobile Application Identification settings have been relocated from the Mobile section to the API Protection section of the Web Protection Profile. This reorganization aligns the configuration with its role in token-based client authentication and consolidates related controls for improved usability.

    FortiWeb now supports three verification methods for mobile tokens, selectable from the Mobile Application Identification field:

    • jwt-token-secret: Verifies tokens using a pre-shared secret (existing method).

    • jwt-public-key: Verifies tokens using a user-provided RSA public key.

    • jwks-endpoint: Retrieves verification keys from a remote JWKS (JSON Web Key Set) endpoint.

    Parameter Requirements for Each Method

    FortiWeb now supports three verification methods for mobile tokens.

    Method

    Parameter

    Description
    jwt-token-secret

    JWT Secret

    		 Accepts a symmetric signing key (HMAC). Used to verify the signature of the JWT using a shared secret.
    jwt-public-key

    JWT Public Key

    		 Accepts an RSA public key in PEM format. Enables asymmetric signature verification of incoming JWTs.
    jwks-endpoint

    JWKS Endpoint

    		 Accepts a URI pointing to a JSON Web Key Set (JWKS). FortiWeb retrieves and caches public keys for validating JWTs signed with asymmetric algorithms.

    These options enable integration with identity providers that use standards such as OAuth 2.0 and OpenID Connect.

    Improved Token Parsing

    FortiWeb now automatically ignores the "Bearer:" prefix when extracting tokens from HTTP request headers. If a valid JWT follows the prefix, FortiWeb proceeds with verification using the configured method. If the token is not a JWT, verification fails—preserving the original security posture.

    JWKS Certificate Caching

    When using JWKS-based verification, FortiWeb caches certificates locally to reduce lookup overhead:

    • Certificates are cached for 24 hours and checked every 5 minutes.

    • The cache supports up to 64 JWKS endpoints.

    • If a certificate retrieval attempt fails, the failure is cached to prevent repeated requests. FortiWeb will retry the retrieval after 5 minutes.

    Diagnostic CLI Tools

    Use the diagnose policy jwks-cache command to inspect or manage the local cache of public keys retrieved from JWKS (JSON Web Key Set) endpoints. This cache improves performance and reliability when verifying JWTs signed with asymmetric algorithms.

    • list – Displays the current JWKS certificate cache. Shows JWKS URIs, their status and referenced number. Useful for verifying which keys FortiWeb is using for JWT validation.

    • delete – Deletes a JWKS endpoint that is not referenced, to reduce repeated checks and updates. Useful for troubleshooting or testing key rotation.

    Previous
    Next