8000 GitHub - nicolaimainiero/smallrye-jwt
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

nicolaimainiero/smallrye-jwt

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

197 Commits
docs
docs
 
 
implementation
implementation
 
 
release
release
 
 
testsuite
testsuite
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.adoc
README.adoc
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Semaphore CI Quality Gate Status License

SmallRye JWT

SmallRye JWT is a library for implementing the Eclipse MicroProfile JWT RBAC. Currently it is focused on supporting the MP-JWT 1.1 spec, and primarily deals with the parsing of the JWT string into a JsonWebToken implementation.

In the future, when MP-JWT 2.0 can build on the JSR-375 security APIs, there should be more support for defining the CDI extension and security layer integration.

Configuration

MicroProfile JWT properties

Property Name Default Description

mp.jwt.verify.publickey

none

Public Key supplied as a string, parsed from it in the order defined in section Supported Public Key Formats.

mp.jwt.verify.publickey.location

none

Config property allows for an external or internal location of Public Key to be specified.

mp.jwt.verify.issuer

none

Expected value of the JWT iss (issuer) claim.

Supported Public Key Formats

Public Keys may be formatted in any of the following formats, specified in order of precedence:

  • Public Key Cryptography Standards #8 (PKCS#8) PEM

  • JSON Web Key (JWK) or JSON Web Key Set (JWKS)

  • Base64 URL encoded JSON Web Key (JWK) or JSON Web Key Set (JWKS)

Smallrye JWT properties

Smallrye JWT supports many properties which can be used to customize the token processing:

Property Name Default Description

smallrye.jwt.verify.algorithm

RS256

Signature algorithm. Set it to ES256 to support the Elliptic Curve signature algorithm.

smallrye.jwt.verify.key-format

ANY

Set this property to a specific key format such as PEM_KEY, PEM_CERTIFICATE, JWK or JWK_BASE64URL to optimize the way the verification key is loaded.

smallrye.jwt.token.header

Authorization

Set this property if another header such as Cookie is used to pass the token.

smallrye.jwt.token.cookie

none

Name of the cookie containing a token. This property will be effective only if smallrye.jwt.token.header is set to Cookie.

smallrye.jwt.token.schemes

Bearer

Comma-separated list containing an alternative single or multiple schemes, for example, DPoP.

smallrye.jwt.token.kid

none

Key identifier. If it is set then the verification JWK key as well every JWT token must have a matching kid header.

smallrye.jwt.time-to-live

none

The maximum number of seconds that a JWT may be issued for use. Effectively, the difference between the expiration date of the JWT and the issued at date must not exceed this value.

smallrye.jwt.require.named-principal

false

If an application relies on java.security.Principal returning a name then a token must have a upn or preferred_username or sub claim set. Setting this property will result in Smallrye JWT throwing an exception if none of these claims is available for the application code to reliably deal with a non-null Principal name.

smallrye.jwt.path.sub

none

Path to the claim containing the subject name. It starts from the top level JSON object and can contain multiple segments where each segment represents a JSON object name only, example: realms/subject. This property can be used if a token has no 'sub' claim but has the subject set in a different claim. Use double quotes with the namespace qualified claims.

smallrye.jwt.claims.sub

none

This property can be used to set a default sub claim value when the current token has no standard or custom sub claim available. Effectively this property can be used to customize java.security.Principal name if no upn or preferred_username or sub claim is set.

smallrye.jwt.path.groups

none

Path to the claim containing the groups. It starts from the top level JSON object and can contain multiple segments where each segment represents a JSON object name only, example: realm/groups. This property can be used if a token has no 'groups' claim but has the groups set in a different claim. Use double quotes with the namespace qualified claims.

smallrye.jwt.groups-separator

' '

Separator for splitting a string which may contain multiple group values. It will only be used if the smallrye.jwt.path.groups property points to a custom claim whose value is a string. The default value is a single space because a standard OAuth2 scope claim may contain a space separated sequence.

smallrye.jwt.claims.groups

none

This property can be used to set a default groups claim value when the current token has no standard or custom groups claim available.

smallrye.jwt.jwks.refresh-interval

60

JWK cache refresh interval in minutes. It will be ignored unless the mp.jwt.verify.publickey.location points to the HTTPS URL based JWK set and no HTTP Cache-Control response header with a positive max-age parameter value is returned from a JWK HTTPS endpoint.

smallrye.jwt.expiration.grace

60

Expiration grace in seconds. By default an expired token will still be accepted if the current time is no more than 1 min after the token expiry time.

smallrye.jwt.verify.aud

none

Comma separated list of the audiences that a token aud claim may contain.

Instructions

Compile and install this project:

mvn clean install

Project structure

  • implementation - Implementation of the Eclipse MicroProfile JWT RBAC library.

  • tck - Test suite to run the implementation against the Eclipse MicroProfile JWT RBAC TCK.

  • docs - Project documentation.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

20 tags

Packages

No packages published

Languages

  • Java 100.0%
0