MicroProfile JWT (mpJwt)

The configuration to process the MicroProfile JWT token.

NameTypeDefaultDescription

audiences

string

The trusted audience list to be included in the aud claim in the JSON web token.

authFilterRef

A reference to top level authFilter element (string).

Specifies the authentication filter reference.

authorizationHeaderScheme

string

Bearer

The expected authentication scheme in the Authorization header that contains the JSON Web Token.

clockSkew

A period of time with millisecond precision

5m

This is used to specify the allowed clock skew in minutes when validating the JSON web token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

cookieName

string

The name of the cookie that is expected to contain a MicroProfile JWT. The default value is Bearer. This attribute is only used by versions 1.2 and beyond of the MP-JWT feature. This value overrides the mp.jwt.token.cookie MicroProfile Config property if one is configured. This value will be ignored unless tokenHeader or the mp.jwt.token.header MicroProfile Config property is set to Cookie.

groupNameAttribute

string

groups

The value of the claim will be used as the user group membership.

id

string
Required

The unique ID.

ignoreApplicationAuthMethod

boolean

true

Ignore the configured authentication method in the application. Allow legacy applications that do not configure MP-JWT as their authentication method to use MicroProfile JWT token if one is included in the request.

issuer

string

The url of the issuer.

jwksUri

string

Specifies a JSON Web Key service URL.

keyManagementKeyAlias

string

Private key alias of the key management key that is used to decrypt the Content Encryption Key. This private key must correspond to the public key that is used to encrypt the Content Encryption Key. This attribute is only used by versions 1.2 and beyond of the MP-JWT feature. This value overrides the mp.jwt.decrypt.key.location MicroProfile Config property if one is configured.

keyName

string

Specifies a trusted key alias for using the public key to verify the signature of the token.

mapToUserRegistry

boolean

false

Specifies whether to map userIdentifier to a registry user.

sharedKey

Reversably encoded password (string)

Specifies the string that will be used to generate the shared keys for HS256 signatures. The value can be stored in clear text or in the more secure encoded form. Use the securityUtility tool with the encode option to encode the shared key.

signatureAlgorithm

  • ES256

  • ES384

  • ES512

  • HS256

  • HS384

  • HS512

  • RS256

  • RS384

  • RS512

Specifies the signature algorithm that will be used to sign the JWT token.
ES256
%tokenSignAlgorithm.ES256
ES384
%tokenSignAlgorithm.ES384
ES512
%tokenSignAlgorithm.ES512
HS256
%tokenSignAlgorithm.HS256
HS384
%tokenSignAlgorithm.HS384
HS512
%tokenSignAlgorithm.HS512
RS256
%tokenSignAlgorithm.RS256
RS384
%tokenSignAlgorithm.RS384
RS512
%tokenSignAlgorithm.RS512

sslRef

A reference to top level ssl element (string).

Specifies an ID of the SSL configuration that is used for SSL connections.

tokenHeader

  • Authorization

  • Cookie

The HTTP request header that is expected to contain a MicroProfile JWT. This attribute is only used by versions 1.2 and beyond of the MP-JWT feature. This value overrides the mp.jwt.token.header MicroProfile Config property if one is configured.

tokenReuse

boolean

true

Specifies whether the token can be re-used.

useSystemPropertiesForHttpClientConnections

boolean

false

Specifies whether to use Java system properties when the JWT Consumer creates HTTP client connections. Set this property to true if you want the connections to use the http* or javax* system properties.

userNameAttribute

string

upn

The value of the claim will be used as user principal to authenticate.

authFilter

Specifies the authentication filter reference.

authFilter > cookie

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > host

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > remoteAddress

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

ip

string

Specifies the remote host TCP/IP address.

matchType

  • contains

  • equals

  • greaterThan

  • lessThan

  • notContain

contains

Specifies the match type.

authFilter > requestHeader

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

value

string

The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

authFilter > requestUrl

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

urlPattern

string
Required

Specifies the URL pattern. The * character is not supported to be used as a wildcard.

authFilter > userAgent

A unique configuration ID.

NameTypeDefaultDescription

agent

string
Required

Specifies the browser's user agent to help identify which browser is being used.

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

authFilter > webApp

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.