Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
190 lines (146 sloc) 4.79 KB

KumuluzEE JWT Authentication

Build Status

KumuluzEE JWT Authentication extension provides Microprofile compliant role based access control microservice endpoints using OpenID Connect and JSON Web Tokens.

KumuluzEE JWT Authentication implements the MicroProfile JWT Authentication 1.0 API.


You can enable KumuluzEE JWT Authentication support by adding the following dependency:


The provided filters should be added to the JAX-RS Application:

public class CustomerApplication extends Application {

    public Set<Class<?>> getClasses() {

        Set<Class<?>> classes = new HashSet<>();

        // microprofile jwt auth filters

        // resources

        return classes;



Given you work with a static public key for verification you must provide two configuration properties:

    public-key: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnOTgnGBISzm3pKuG8QXMVm6eEuTZx8Wqc8D9gy7vArzyE5QC/bVJNFwlz...

If, on the other hand, you use JWKS as a source for your verification keys then you instead provide following two configuration properties:


The public-key/jwks-uri and issuer configuration properties are used to validate and decode the received Authorization token.

If both public-key and jwks-uri are set, the jwks-uri takes precedence and the public-key is ignored.

Accessing token information

There are multiple ways with which you can access the decoded token data. The standard way is to access the principal contained in the security context:

import org.eclipse.microprofile.jwt.JsonWebToken;

private SecurityContext sc;


JsonWebToken principal = sc.getUserPrincipal();


You can also get the information using CDI and injection:

import org.eclipse.microprofile.jwt.Claim;
import org.eclipse.microprofile.jwt.ClaimValue;
import org.eclipse.microprofile.jwt.Claims;
import org.eclipse.microprofile.jwt.JsonWebToken;
import java.util.Optional;
import javax.json.*;

// Principal
private JsonWebToken principal;

// Raw types
@Claim(standard = Claims.raw_token)
private String rawToken;
@Inject (1)
private Long issuedAt;

// ClaimValue wrappers
@Inject (2)
@Claim(standard = Claims.raw_token)
private ClaimValue<String> rawTokenCV;
@Claim(standard = Claims.iss)
private ClaimValue<String> issuer;
@Claim(standard = Claims.jti)
private ClaimValue<String> jti;
@Inject (3)
private ClaimValue<Optional<String>> optJTI;
private ClaimValue objJTI;
private ClaimValue<Set<String>> groups;
@Inject (4)
private ClaimValue<Long> issuedAtCV;
private ClaimValue<Long> dupIssuedAt;
private ClaimValue<Optional<String>> optSubject;
private ClaimValue<Optional<Long>> authTime;
@Inject (5)
private ClaimValue<Optional<Long>> custom;

@Claim(standard = Claims.jti)
private Instance<String> providerJTI;
@Inject (6)
@Claim(standard = Claims.iat)
private Instance<Long> providerIAT;
private Instance<Set<String>> providerGroups;

@Claim(standard = Claims.jti)
private JsonString jsonJTI;
@Claim(standard = Claims.iat)
private JsonNumber jsonIAT;
@Inject (7)
private JsonArray jsonRoles;
private JsonObject jsonCustomObject;


Recent changes can be viewed on Github on the Releases Page


See the contributing docs

When submitting an issue, please follow the guidelines.

When submitting a bugfix, write a test that exposes the bug and fails before applying your fix. Submit the test alongside the fix.

When submitting a new feature, add tests that cover the feature.