guide jwt
JWT (JSON Web Token) is an open standard (see RFC 7519) for creating JSON based access tokens that assert some number of claims.
With an IT landscape divided into multiple smaller apps you want to avoid coupling all those apps or services tightly with your IAM (Identity & Access Management).
Instead your apps simply expects a JWT as bearer-token in the Authorization HTTP header field.
All it needs to do for authentication is validating this JWT.
The actual authentication is done centrally by an access system (IAM) that authors those JWTs.
Therefore we recommend to use strong asymmetric cryptography to sign the JWT when it is authored.
Create a keypair per environment and keep the private key as a secret only known to the access system authorizing the JWTs.
Your apps only need to know the public key in order to validate the JWT.
Any request without a JWT or with an invalid JWT will be rejected (with status code 401).
When using spring check the JWT Spring-Starter. For quarkus follow Using JWT RBAC.
This documentation is licensed under the Creative Commons License (Attribution-NoDerivatives 4.0 International).
