Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

KumuluzEE JWT Authentication

Build Status

KumuluzEE JWT Authentication extension provides Microprofile compliant role based access control microservice endpoints using OpenID Connect and JSON Web Tokens.

KumuluzEE JWT Authentication implements the MicroProfile JWT Authentication 1.1 API.


You can enable KumuluzEE JWT Authentication support by adding the following dependency:


The LoginConfig annotation should be added to the JAX-RS Application:

@LoginConfig(authMethod = "MP-JWT")
public class CustomerApplication extends Application {


Given you work with a static public key for verification you must provide two configuration properties:

    public-key: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnOTgnGBISzm3pKuG8QXMVm6eEuTZx8Wqc8D9gy7vArzyE5QC/bVJNFwlz...

The supplied public key can be in any of the following formats:

  • PKCS#8 PEM
  • JWK
  • JWKS
  • Base64 URL encoded JWK
  • Base64 URL encoded JWKS

If, on the other hand, you use JWKS as a source for your verification keys then you instead provide following two configuration properties:


The public-key/jwks-uri and issuer configuration properties are used to validate and decode the received Authorization token.

If both public-key and jwks-uri are set, the jwks-uri takes precedence and the public-key is ignored.

JWT authentication can be disabled by setting the kumuluzee.jwt-auth.enabled configuration property to false.

You can configure the maximum leeway the authenticator allows for timestamp claims (such as nbf or iat) by setting kumuluzee.jwt-auth.maximum-leeway. The default value is 60, meaning sixty seconds.

Accessing token information

There are multiple ways with which you can access the decoded token data. The standard way is to access the principal contained in the security context:

import org.eclipse.microprofile.jwt.JsonWebToken;

private SecurityContext sc;


JsonWebToken principal = sc.getUserPrincipal();


You can also get the information using CDI and injection:

import org.eclipse.microprofile.jwt.Claim;
import org.eclipse.microprofile.jwt.ClaimValue;
import org.eclipse.microprofile.jwt.Claims;
import org.eclipse.microprofile.jwt.JsonWebToken;
import java.util.Optional;
import javax.json.*;

// Principal
private JsonWebToken principal;

// Raw types
@Claim(standard = Claims.raw_token)
private String rawToken;
@Inject (1)
private Long issuedAt;

// ClaimValue wrappers
@Inject (2)
@Claim(standard = Claims.raw_token)
private ClaimValue<String> rawTokenCV;
@Claim(standard = Claims.iss)
private ClaimValue<String> issuer;
@Claim(standard = Claims.jti)
private ClaimValue<String> jti;
@Inject (3)
private ClaimValue<Optional<String>> optJTI;
private ClaimValue objJTI;
private ClaimValue<Set<String>> groups;
@Inject (4)
private ClaimValue<Long> issuedAtCV;
private ClaimValue<Long> dupIssuedAt;
private ClaimValue<Optional<String>> optSubject;
private ClaimValue<Optional<Long>> authTime;
@Inject (5)
private ClaimValue<Optional<Long>> custom;

@Claim(standard = Claims.jti)
private Instance<String> providerJTI;
@Inject (6)
@Claim(standard = Claims.iat)
private Instance<Long> providerIAT;
private Instance<Set<String>> providerGroups;

@Claim(standard = Claims.jti)
private JsonString jsonJTI;
@Claim(standard = Claims.iat)
private JsonNumber jsonIAT;
@Inject (7)
private JsonArray jsonRoles;
private JsonObject jsonCustomObject;


Recent changes can be viewed on Github on the Releases Page


See the contributing docs

When submitting an issue, please follow the guidelines.

When submitting a bugfix, write a test that exposes the bug and fails before applying your fix. Submit the test alongside the fix.

When submitting a new feature, add tests that cover the feature.