A basic sample to show how to use the jose4j security library for managing validation of OAuth (JWT) access tokens. API routes can then use scopes and claims from the JWT to authorize requests.
The API is configured with these details in its api.properties file.
Point these to the equivalent values for your own instance of the Curity Identity Server.
jwks_endpoint=https://idsvr.example.com/oauth/v2/oauth-anonymous/jwks
issuer=https://idsvr.example.com/oauth/v2/oauth-anonymous
audience=api.example.com
Ensure that maven and a Java SDK of 17 or higher is installed. Then build and run the API with these commands:
mvn package
java -jar target/secureapi-1.0-SNAPSHOT-jar-with-dependencies.jarCall the running API with an HTTP request such as the following:
curl -i http://localhost:3000 -H "Authorization: Bearer eyJraWQiOiIyV01TWGcwekE..."If the authorization server is configured with the appropriate scopes and claims, a 200 response will be returned:
{
"message": "API Request has role: admin and scope read"
}If there is a token validation problem, a 401 response will be returned, with a www-authenticate response header:
WWW-Authenticate: Bearer, error=invalid_token, error_description=Access token is missing, invalid or expired
- See the Kotlin API Tutorial for a technical walkthrough
- Please visit curity.io for more information about the Curity Identity Server