Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
api
 
 
 
 
 
 
tck
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.adoc

JWT RBAC for MicroProfile

Introduction

Today, the most common solutions involving RESTful and microservices security are based on OpenID Connect(OIDC), OAuth2 and JSON Web Token (JWT) standards.

This specification outlines how the signed JWT tokens issued by OIDC and other trusted providers can be verified and their claims used for role based access control(RBAC) of microservice endpoints.

Motivation

For RESTful based microservices, security tokens in a JWT format offer a lightweight and interoperable way to propagate identities across different services, where:

  • Services don’t need to store any state about clients or users

  • Services can verify and introspect the token locally if it follows a JWT format or remotely with the trusted provider.

  • Services can identify the caller and verify a given service is indeed an indended audience of the token.

  • Services can enforce authorization policies based on the information within the token.

  • Services can use the token for both delegation and impersonation of identities.

Documentation

For links to the latest maven artifacts, Javadoc and specification document, see the latest release.

You can’t perform that action at this time.