MicroProfile JSON Web Token2.12.01.21.11.0
This feature enables web applications or microservices to use the Eclipse JSON Web Token 1.0 specification to authenticate users instead of, or in addition to, the configured user registry.
You can use MicroProfile Config properties to provide configuration values for MicroProfile JSON Web Token. For more information, see MicroProfile Config Properties: JSON Web Token.
Enabling this feature
To enable the MicroProfile JSON Web Token 1.0 feature, add the following element declaration into your server.xml
file, inside the featureManager
element:
<feature>mpJwt-1.0</feature>
Examples
Configure MicroProfile JWT
The following example shows authentication with a JSON Web Token (JWT). The mpJwt
element defines the configuration to process the inbound JSON Web Tokens. The jwksUri
attribute points the mpjwt
element towards the public key https://localhost:19443/jwt/ibm/api/myBuilder/jwk
, to validate the JWT. The keyStore
element defines the keystore and truststore where the public key is stored. The keyStore
element validates the JSON Web Token when the JSON Web Key Set (JWKS) is not used:
<mpJwt id="mympjwt" issuer="https://example.com"
jwksUri="https://localhost:19443/jwt/ibm/api/myBuilder/jwk"/>
<keyStore id="defaultKeyStore" password="keyspass"/>
In MicroProfile JSON Web Token 1.1 and later, this configuration is optional and you can also use MicroProfile Config properties to configure MicroProfile JWT. For more information, see Guide: Securing microservices with JSON Web Tokens.
Configure authentication filter to login with MicroProfile JWT
You can use an authentication filter to protect a subset of applications, URLs, or IP addresses. The security configuration works when the conditions in the filter are met. In the following example, any requests to the myApp
application are authenticated with the mpJwt
feature. The authFilterRef
attribute that is named myAuthFilter
filters the login requests to the myApp
application:
<mpjwt authFilterRef="authFilter1" />
<authFilter id="myAuthFilter">
<webApp id="myWebApp"
name="myApp"
matchType="contains"/>
</authFilter>
Import a truststore to verify a MicroProfile JWT
You can configure a truststore to verify JSON Web Tokens. The default keystore for MicroProfile does not contain the root certificates that are used to verify the authentication credentials that are stored in JSON Web Tokens. To verify JSON Web Tokens, you can import the default Java truststore, as shown in the following example:
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<keyStore id="defaultTrustStore" location="MyKeyStoreFile.p12" type="JKS" password="changeit" />
<mpJwt id="mympjwt" issuer="https://example.com"
jwksUri="https://localhost:19443/jwt/ibm/api/myBuilder/jwk"/>
The id
attribute in the keyStore
element specifies the “defaultTrustStore”
value to configure a truststore within the keystore. A truststore contains the certificates that are used to validate the requests that are sent to applications with JSON Web Tokens. The ssl
element is used to specify how the application validates the SSL connection to a server. Within the ssl
element, the id
attribute specifies the "defaultSSLConfig"
value that sets the SSL configuration as the default SSL configuration for the server that the application connects to. The trustStoreRef
attribute specifies the “defaultTrustStore”
value that configures the ssl
element to reference the truststore so that the application recognizes the truststore when it attempts to connect to the server. The jwksUri
attribute specifies the "https://localhost:19443/jwt/ibm/api/myBuilder/jwk”
JWK endpoint URL value that the server uses to obtain the public keys from to verify the JWT.
Configure the restriction of MicroProfile JWT authentication
By default, if the MicroProfile JWT feature is configured, all authorized requests from applications must include a valid JSON Web Token in the HTTP header of the API. To modify the default behavior to require JSON Web Tokens in only some applications, you can set the ignoreApplicationAuthMethod
attribute to “false”
in the mpJwt
element, as shown in the following example:
<mpJwt ignoreApplicationAuthMethod=“false”/>
After you modify the authorization behavior, you can use either of two options to configure applications to use MicroProfile JWT as a login method. In the API, you can add a @LoginConfig
annotation that contains the authMethod
attribute to specify MicroProfile JWT as the authentication method as shown in the following example:
@LoginConfig(authMethod = "MP-JWT", realmName = "MP-JWT")
You can also add MP-JWT
to the auth-method
element of the web.xml
file to specify MicroProfile JWT as the authentication method in the login-config
element, as shown in the following example:
<login-config> <auth-method>MP-JWT</auth-method> <realm-name>MP-JWT</realm-name></login-config>
Define role mapping for MicroProfile JWT
By default, JSON Web Tokens use the upn
claim from the JWT as the principal name and unique security name of the user. JSON Web Tokens also use the groups
claim from the JWT as the group name for security role mapping. To change the default mapping, you can use the userNameAttribute
attribute to choose a claim for the user principal. You can also use the groupNameAttribute
attribute to choose a claim for the group name, as shown in the following example:
<mpJwt userNameAttribute="claim" groupNameAttribute="claim"/>
Validate MicroProfile JWT claims with the user registry
By default, JSON Web Tokens authenticate user claims without validation from the user registry. To modify this behavior, you can set the mapToUserRegistry
attribute to true
in the the mpJwt
element, as shown in the following example:
<mpJwt mapToUserRegistry="true"/>
When you set the mapToUserRegistry
attribute to true
, JSON Web Tokens are forced to validate user claims with the user registry. The user claims are validated based on the user attributes that are contained in the user registry.
Stable API packages provided by this feature
org.eclipse.microprofile.auth
org.eclipse.microprofile.jwt