Microprofile JWT 1.0¶
Microprofile JWT is a specification focused on providing role-based access control for microservices. The focus of the MP-JWT specification is the definition of the required format of the JWT used as the basis for interoperable authentication and authorization.
The MP-JWT specification introduces two new claims which need to be present in the issued JWT token in order to be usable as an authentication and authorization token.
These claims are:
- upn: A human-readable claim that uniquely identifies the subject or user principal of the token, across the MicroProfile services the token will be accessed with.
- groups: The token subject's group memberships that will be mapped to Java EE style application-level roles in the MicroProfile service container.
The set of minimum required claims in a compatible JWT token is listed below:
|alg||This JOSE header parameter identifies the cryptographic algorithm used to secure the JWT. MP-JWT requires the use of the RSASSA-PKCS1-v1_5 SHA-256 algorithm and must be specified as "RS256".||RFC7515, Section 4.1.1|
|kid||This JOSE header parameter is a hint indicating which key was used to secure the JWT.||RFC7515, Section-4.1.4|
|iss||The token issuer.||RFC7519, Section 4.1.1|
|sub||Identifies the principal that is the subject of the JWT. See the "upn" claim for how this relates to the runtime
||RFC7519, Section 4.1.2|
|aud||Identifies the recipients that the JWT is intended for.||RFC7519, Section 4.1.3|
|exp||Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.||RFC7519, Section 4.1.4|
|iat||Identifies the time at which the issuer generated the JWT.||RFC7519, Section 4.1.6|
|jti||Provides a unique identifier for the JWT.|
|upn||Provides the user principal name in the
|groups||Provides the list of group names that have been assigned to the principal of the MP-JWT. This typically will require a mapping at the application container level to application deployment roles, but a one-to-one between group names and application role names is required to be performed in addition to any other mapping.|