![[17.0.0.3 and later]](../ng_v17003plus.gif)
Configuring the MicroProfile JSON Web Token
You can configure a Liberty server to accept a MicroProfile JSON Web Token as an authentication token.
Before you begin
About this task
MicroProfile 1.2 defines an interoperable JSON Web Token (MP-JWT) standard that includes three
parts:
- The token format and claim
- The org.eclipse.microprofile.jwt.JsonWebToken interface, a java.security.Principal interface extension that makes this set of claims available through get style accessors
- Mapping the JSON Web Token and the claims to various Java EE container application programming interfaces (APIs)
Find the MP-JWT specification and API at JWT RBAC for MicroProfile.
Any trusted party in possession of the MP-JWT token can use that token to access the associated resources in Liberty by sending the token over the authorization header. The token wire format must follow the RFC 6750 specification, The OAuth 2.0 Authorization Framework: Bearer Token Usage, as shown in the following example:
GET /resource/1 HTTP/1.1
Host: example.com
Authorization: Bearer <MP-JWT token>
The Liberty resource server validates the
MP-JWT token, creates the authenticated JSON Web Token, and makes the JSON Web Token and token
claims available through CDI injection or JAX-RS security context. To be accepted as an MP-JWT
token, the JWT token must contain a list of claims. The following example shows an MP-JWT
token:
{
"typ": "JWT",
"alg": "RS256",
"kid": "abc-1234567890"
}
{
"iss": "https://server.example.com",
"aud": "s6BhdRkqt3",
"jti": "a-123",
"exp": 1311281970,
"iat": 1311280970,
"sub": "24400320",
"upn": "jdoe@server.example.com",
"groups": ["red-group", "green-group", "admin-group", "admin"],
}