Microprofile JWT 1.0¶
Microprofile JWT is a specification focused on providing role-based access control for microservices. The focus of the MP-JWT specification is the definition of the required format of the JWT used as the basis for interoperable authentication and authorization.
The MP-JWT specification introduces two new claims which need to be present in the issued JWT token in order to be usable as an authentication and authorization token.
These claims are:
- upn: A human-readable claim that uniquely identifies the subject or user principal of the token, across the MicroProfile services the token will be accessed with.
- groups: The token subject's group memberships that will be mapped to Java EE style application-level roles in the MicroProfile service container.
The set of minimum required claims in a compatible JWT token is listed below:
| Claim name | Description | Reference |
|---|---|---|
| alg | This JOSE header parameter identifies the cryptographic algorithm used to secure the JWT. MP-JWT requires the use of the RSASSA-PKCS1-v1_5 SHA-256 algorithm and must be specified as "RS256". | RFC7515, Section 4.1.1 |
| kid | This JOSE header parameter is a hint indicating which key was used to secure the JWT. | RFC7515, Section-4.1.4 |
| iss | The token issuer. | RFC7519, Section 4.1.1 |
| sub | Identifies the principal that is the subject of the JWT. See the "upn" claim for how this relates to the runtime java.security.Principal. |
RFC7519, Section 4.1.2 |
| aud | Identifies the recipients that the JWT is intended for. | RFC7519, Section 4.1.3 |
| exp | Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. | RFC7519, Section 4.1.4 |
| iat | Identifies the time at which the issuer generated the JWT. | RFC7519, Section 4.1.6 |
| jti | Provides a unique identifier for the JWT. | |
| upn | Provides the user principal name in the java.security.Principal interface. |
|
| groups | Provides the list of group names that have been assigned to the principal of the MP-JWT. This typically will require a mapping at the application container level to application deployment roles, but a one-to-one between group names and application role names is required to be performed in addition to any other mapping. |