• Home
• io.helidon
• helidon-docs
• 4.0.11
• source code
• io_helidon_microprofile_jwt.adoc

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

config.io_helidon_microprofile_jwt.adoc Maven / Gradle / Ivy

///////////////////////////////////////////////////////////////////////////////

    Copyright (c) 2022, 2023 Oracle and/or its affiliates.

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.

///////////////////////////////////////////////////////////////////////////////

// MANUALLY CREATED DOC

ifndef::rootdir[:rootdir: {docdir}/..]
:description: Configuration of io.helidon.microprofile.jwt
:keywords: helidon, security, jwt, microprofile
:basic-table-intro: The table below lists the configuration keys that configure io.helidon.microprofile.jwt.adoc
include::{rootdir}/includes/attributes.adoc[]

= JWT Configuration

// tag::config[]

== Configuration options


.MicroProfile configuration options:
[cols="3,3,2,5a"]

|===
|key |type |default value |description

|`mp.jwt.verify.publickey` |string |{nbsp} |The property allows the Public Verification Key text itself to be supplied as a string.
|`mp.jwt.verify.publickey.location` |string |{nbsp} |The property allows for an external or internal location of Public Verification Key to be specified. The value may be a relative path or a URL.
|`mp.jwt.verify.publickey.algorithm` |string |{nbsp} |The  configuration property allows for specifying which Public Key Signature Algorithm is supported by the MP JWT endpoint. This property can be set to either `RS256` or `ES256`. Default value is `RS256`. Support for the other asymmetric signature algorithms such as `RS512`, `ES512` and others is optional.
|`mp.jwt.verify.issuer` |string |{nbsp} |Configuration key for expected issuer of incoming tokens.
|`mp.jwt.verify.audiences` |string |{nbsp} |Configuration key for expected audiences of incoming tokens.
|`mp.jwt.verify.token.age` |int |{nbsp} |Max number of seconds since token issue time. If this number of second accedes configured value, validation will fail.
|`mp.jwt.verify.clock.skew` |int |{nbsp} |Number of seconds for the clock skew during the token age verification and expiry.
|`mp.jwt.token.cookie` |string |{nbsp} |Cookie property name which is expected to contain a JWT token.
|`mp.jwt.token.header` |string |{nbsp} |Header name which is expected to contain a JWT token.
|`mp.jwt.decrypt.key.location` |string |{nbsp} |The property allows for an external or internal location of Private Decryption Key to be specified. The value may be a relative path or a URL.
|`mp.jwt.decrypt.key.algorithm` |string |{nbsp} |The configuration property allows for specifying which key management algorithm is supported by the MP JWT endpoint. Supported algorithms are either `RSA-OAEP` or `RSA-OAEP-256`. If no algorithm is set, both algorithms must be accepted.

|===

.Helidon configuration options:
[cols="3,3,2,5a"]

|===
|key |type |default value |description

|`optional` |boolean |`false` |If set to `true`, failure to authenticate will return `ABSTAIN` result instead of `FAILURE`. This is
an important distinction when more than one provider is used
|`authenticate` |boolean |`true` |Whether to attempt authentication
|`propagate`|boolean |`true` |Whether to attempt identity propagation/JWT creation
|`principal-type`|string |`USER` |Whether we authenticate a user or a service (other option is SERVICE)
|`atn-token` |string |{nbsp} |A group for configuring authentication of the request
|`atn-token.verify-signature`|boolean |`true` |Whether to verify signature in incoming JWT. If disabled, _ANY_ JWT will be accepted
|`atn-token.jwt-audience`|string |{nbsp} |Expected audience of the JWT. If not defined, any audience is accepted (and we may accept JWT not inteded for us)
|`atn-token.jwk.resource`|xref:{rootdir}/config/io_helidon_common_configurable_Resource.adoc[Resource] |{nbsp} |Configuration of the JWK to obtain key(s) to validate signatures of inbound token. The JWK should contain public keys.
|`atn-token.handler`|string |`Authorization` header with `bearer ` prefix |A handler configuration for inbound token - e.g. how to extract it
|`atn-token.handler.header`|string |{nbsp} |Name of a header the token is expected in
|`atn-token.handler.prefix`|string |{nbsp}  |Prefix before the token value (optional)
|`atn-token.handler.regexp`|string |{nbsp} |Regular expression to obtain the token, first matching group is used (optional)
|`sign-token`|string |{nbsp} |A group for configuring outbound security
|`sign-token.jwk.resource`|xref:{rootdir}/config/io_helidon_common_configurable_Resource.adoc[Resource] |{nbsp} |Configuration of the JWK to use when generating tokens (follows the same rules as atn-token.jwk above). The JWK must contain private keys when using asymmetric ciphers.
|`sign-token.jwt-issuer`|string |{nbsp} |When we issue a new token, this is the issuer to be placed into it (validated by target service)
|`sign-token.outbound`|string |{nbsp} |A group for configuring outbound rules (based on transport, host and.or path)
|`sign-token.outbound.*.name`|string |{nbsp} |A short descriptive name for configured target service(s)
|`sign-token.outbound.*.transports`|string |any |An array of transports this outbound matches (e.g. https)
|`sign-token.outbound.*.hosts`|string |any |An array of hosts this outbound matches, may use * as a wild-card (e.g. *.oracle.com)
|`sign-token.outbound.*.paths`|string |any |An array of paths on the host this outbound matches, may use * as a wild-card (e.g. /some/path/*)
|`sign-token.outbound.*.outbound-token`|string |`Authorization` header with `bearer ` prefix  |Configuration of outbound token handler (same as atn-token.handler)
|`sign-token.outbound.*.outbound-token.format`|string |{nbsp} |Java text format for generating the value of outbound token header (e.g. "bearer %1$s")
|`sign-token.outbound.*.jwk-kid`|string |{nbsp} |If this key is defined, we are generating a new token, otherwise we propagate existing. Defines the key id of a key definition in the JWK file to use for signing the outbound token
|`sign-token.outbound.*.jwt-kid`|string |{nbsp} |A key to use in the generated JWT - this is for the other service to locate the verification key in their JWK
|`sign-token.outbound.*.jwt-audience`|string |{nbsp} |Audience this key is generated for (e.g. http://www.example.org/api/myService) - validated by the other service
|`sign-token.outbound.*.jwt-not-before-seconds`|string |`5` |Makes this key valid this amount of seconds into the past. Allows a certain time-skew for the generated token to be valid before current time (e.g. when we expect a certain misalignment of clocks)
|`sign-token.outbound.*.jwt-validity-seconds`|string |1 day |Token validity in seconds
|===

// end::config[]