MicroProfile JWT (mpJwt)
The configuration to process the MicroProfile JWT token.
Name | Type | Default | Description |
---|---|---|---|
audiences | string | The trusted audience list to be included in the aud claim in the JSON web token. | |
authFilterRef | A reference to top level authFilter element (string). | Specifies the authentication filter reference. | |
authorizationHeaderScheme | string | Bearer | The expected authentication scheme in the Authorization header that contains the JSON Web Token. |
clockSkew | A period of time with millisecond precision | 5m | This is used to specify the allowed clock skew in minutes when validating the JSON web token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
cookieName | string | The name of the cookie that is expected to contain a MicroProfile JWT. The default value is Bearer. This attribute is only used by versions 1.2 and beyond of the MP-JWT feature. This value overrides the mp.jwt.token.cookie MicroProfile Config property if one is configured. This value will be ignored unless tokenHeader or the mp.jwt.token.header MicroProfile Config property is set to Cookie. | |
groupNameAttribute | string | groups | The value of the claim will be used as the user group membership. |
id | string | The unique ID. | |
ignoreApplicationAuthMethod | boolean | true | Ignore the configured authentication method in the application. Allow legacy applications that do not configure MP-JWT as their authentication method to use MicroProfile JWT token if one is included in the request. |
issuer | string | The url of the issuer. | |
jwksUri | string | Specifies a JSON Web Key service URL. | |
keyManagementKeyAlgorithm | string | Specifies the decryption algorithm that is used to decrypt the Content Encryption Key. This attribute is used only in versions 2.1 and later of the MP-JWT feature. The specified decryption algorithm overrides the mp.jwt.decrypt.key.algorithm MicroProfile Config property if it is configured. | |
keyManagementKeyAlias | string | Private key alias of the key management key that is used to decrypt the Content Encryption Key. This private key must correspond to the public key that is used to encrypt the Content Encryption Key. This attribute is only used by versions 1.2 and beyond of the MP-JWT feature. This value overrides the mp.jwt.decrypt.key.location MicroProfile Config property if one is configured. | |
keyName | string | Specifies a trusted key alias for using the public key to verify the signature of the token. | |
mapToUserRegistry | boolean | false | Specifies whether to map userIdentifier to a registry user. |
sharedKey | Reversably encoded password (string) | Specifies the string that will be used to generate the shared keys for HS256 signatures. The value can be stored in clear text or in the more secure encoded form. Use the securityUtility tool with the encode option to encode the shared key. | |
signatureAlgorithm |
| Specifies the signature algorithm that will be used to sign the JWT token. | |
sslRef | A reference to top level ssl element (string). | Specifies an ID of the SSL configuration that is used for SSL connections. | |
tokenAge | A period of time with millisecond precision | 0s | Specifies the allowed token age in seconds when validating the JSON web token. This attribute is used only in versions 2.1 and later of the MP-JWT feature. The issued at (iat) claim must be present in the JWT token. The configured number of seconds since iat must not have elapsed. If it has elapsed, then the request is rejected with an unauthorized response. The specified token age overrides the mp.jwt.verify.token.age MicroProfile Config property if it is configured. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
tokenHeader |
| The HTTP request header that is expected to contain a MicroProfile JWT. This attribute is only used by versions 1.2 and beyond of the MP-JWT feature. This value overrides the mp.jwt.token.header MicroProfile Config property if one is configured. | |
tokenReuse | boolean | true | Specifies whether the token can be re-used. |
useSystemPropertiesForHttpClientConnections | boolean | false | Specifies whether to use Java system properties when the JWT Consumer creates HTTP client connections. Set this property to true if you want the connections to use the http* or javax* system properties. |
userNameAttribute | string | upn | The value of the claim will be used as user principal to authenticate. |
authFilter
Specifies the authentication filter reference.
authFilter > cookie
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
authFilter > host
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
authFilter > remoteAddress
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
ip | string | Specifies the remote host TCP/IP address. | |
matchType |
| contains | Specifies the match type. |
authFilter > requestHeader
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. | |
value | string | The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains". |
authFilter > requestUrl
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
urlPattern | string | Specifies the URL pattern. The * character is not supported to be used as a wildcard. |
authFilter > userAgent
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
agent | string | Specifies the browser's user agent to help identify which browser is being used. | |
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
authFilter > webApp
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |