Tools for synchronous (servlet-based) OpenID resource servers relying on use of Access Tokens for authorization. These come in the form of JSON Web Tokens (JWT) issued by Authorization Servers like Auth0 and Keycloak. Authorization Servers sign JWTs with private keys, resource servers then download the corresponding public keys from the Authorization Servers and validate the JWTs by verifying the signature.
Technically, this library deals with HTTP requests using the Authorization header. Example HTTP request:
GET /some/restricted/service/1
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsI.eyJzdWIIjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpM
where the Base64-encoded value is the token itself. For a valid token, the server could process the request and respond:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1024
Alternatively, the server might return HTTP 401 Unauthorized if the token was not accepted, or HTTP 403 Forbidden if the token did not contain the enough permissions.
Users of this library will benefit from:
- Robust multi-tenant JWT access-token validation
- Robust JWT access-token client
- Flexible JWT JUnit 5 test-support
- Spring Boot support for the above
In order to keep complexity (and risk) down, the library wraps existing third party libraries for low-level parsing, signature validation and authorization enforcement. Notable features:
- thread-safe sharing of keys (for signature verification) and access-tokens within each JVM
- proactive background refresh of keys and tokens
- keys and token health status (on last remote invocation)
- annotation-based token mocking with test method signature argument support
- open/closed endpoint filter, so that requests to closed endpoints can be proactively rejected before payload is unmarshalled
Async is not yet supported.
- jwt-server - for handling incoming service calls (i.e. in your backend)
- jwt-client - for making outgoing service calls (i.e. support for obtaining a token first)
- jwt-test - JUnit 5 test support.
- examples - Example projects.
See documentation contained in each folder to get started. Or skip right to the examples.
European Union Public Licence v1.2.
- 1.1.13: Support for WebClient (used in a synchronous way) in new
jwt-client-spring-cloudartifact. - 1.1.x: gRPC, eager caching, new health check tweaks
- 1.0.x: Initial release and adjustments for first use.