Microprofile JWT 1.0

Microprofile JWT is a specification focused on providing role-based access control for microservices. The focus of the MP-JWT specification is the definition of the required format of the JWT used as the basis for interoperable authentication and authorization.

The MP-JWT specification introduces two new claims which need to be present in the issued JWT token in order to be usable as an authentication and authorization token.

These claims are:

  • upn: A human-readable claim that uniquely identifies the subject or user principal of the token, across the MicroProfile services the token will be accessed with.
  • groups: The token subject's group memberships that will be mapped to Java EE style application-level roles in the MicroProfile service container.

The set of minimum required claims in a compatible JWT token is listed below:

Claim name Description Reference
alg This JOSE header parameter identifies the cryptographic algorithm used to secure the JWT. MP-JWT requires the use of the RSASSA-PKCS1-v1_5 SHA-256 algorithm and must be specified as "RS256". RFC7515, Section 4.1.1
kid This JOSE header parameter is a hint indicating which key was used to secure the JWT. RFC7515, Section-4.1.4
iss The token issuer. RFC7519, Section 4.1.1
sub Identifies the principal that is the subject of the JWT. See the "upn" claim for how this relates to the runtime java.security.Principal. RFC7519, Section 4.1.2
aud Identifies the recipients that the JWT is intended for. RFC7519, Section 4.1.3
exp Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. RFC7519, Section 4.1.4
iat Identifies the time at which the issuer generated the JWT. RFC7519, Section 4.1.6
jti Provides a unique identifier for the JWT.

RFC7519, Section 4.1.7

upn Provides the user principal name in the java.security.Principal interface.

MP-JWT 1.0 specification

groups Provides the list of group names that have been assigned to the principal of the MP-JWT. This typically will require a mapping at the application container level to application deployment roles, but a one-to-one between group names and application role names is required to be performed in addition to any other mapping.

MP-JWT 1.0 specification