BETA BLOG - MicroProfile JSON Web Token 1.2

[teddyjtorres]

The information you provide here will be included in the Open Liberty beta blog post (example), which will be published on the OpenLiberty.io blog, and potentially elsewhere, to promote this beta of Open Liberty.

Please provide the following information the week before the GA/beta date (to allow for review and publishing):

1. Which Liberty feature does your update relate to?

   Human-readable name (eg WebSockets feature):

MicroProfile JSON Web Token 1.2

Feature name (eg websockets-1.0):

mpJwt-1.2

2. Who is the target persona? Who do you expect to use the update? eg application developer, operations.

application developer

3. Write a paragraph to summarises the update, including the following points:

   • A sentence or two that introduces the update to someone new to the general technology/concept.

The MicroProfile JSON Web Token 1.2 specification allows using a JWT token for authenticating and authorizing requests to a service. The specification simplifies the configuration for managing the validation of the JWT by introducing new MicroProfile Config properties. Enhanced signature algorithm support is added in this Open Liberty beta.

• What was the problem before and how does your update make their life better? (Why should they care?)

Version 1.2 of the MicroProfile JSON Web Token specification adds the following MicroProfile Config properties to control different aspects of the JWT validation.

mp.jwt.token.header

The mp.jwt.token.header property allows you to control the HTTP request header which is expected to contain a JWT token. You can specify either Authorization (default) or Cookie values.

mp.jwt.token.cookie

The mp.jwt.token.cookie property allows you to specify the name of the cookie which is expected to contain a JWT token. The default value is Bearer if not specified.

mp.jwt.verify.audiences

The mp.jwt.verify.audiences property allows you to create list of allowable "aud" values. At least one of these must be found in the claim. Previously, this had to be configured in the server.xml file. Now, you can configure the audiences in the MicroProfile config property as follows:

mp.jwt.verify.audiences=conferenceService

mp.jwt.verify.publickey.algorithm

The mp.jwt.verify.publickey.algorithm property allows you to control the Public Key Signature Algorithm that is supported by the MP JWT endpoint. The default value is RSA256 if not specified. Previously, this had to be configured in the server.xml file. Now, you can configure the public key algorithm used for verification of the JWT in the MicroProfile config property as follows:

mp.jwt.verify.publickey.algorithm=ES256

The specification also adds support for the ES256 signature algorithm, while this Open Liberty beta supports using the RS384, RS512, HS384, HS512, ES256, ES384, and the ES512 signature algorithms.

• Briefly explain how to make your update work. Include screenshots, diagrams, and/or code snippets, and provide a server.xml snippet.

Enable the MicroProfile JWT 1.2 feature in the server.xml.

   <featureManager>
       <feature>mpJwt-1.2</feature>
   </featureManager>

• Where can they find out more about this specific update (eg Open Liberty docs, Javadoc) and/or the wider technology?

• The specification

• The release note

What happens next?

• Your paragraph will be included in the beta blog post. It might be edited for style and consistency.
• You will be asked to review a draft before publication.
• If you would also like to write a standalone blog post about your update (highly recommended), raise an issue on the Open Liberty blogs repo. State in the issue that the blog post relates to a specific release so that we can ensure it is published on an appropriate date (it won't be the same day as the beta blog post).

[teddyjtorres]

For beta 20.0.0.12

[austin0]

Blog has been published, closing.