'Consume and validate JWT in Open Liberty

I'm trying to use the jwt-1.0 feature in Open Liberty.

The JwtBuilder API is pretty nice and allows to set expiration, sign, encrypt and build a token programmatically (and everything else needed).

JwtBuilder.create().expirationTime(expTime).signWith(signAlg, privateKey).encryptWith(keyMgmtAlg, keyMgmtKey, contentEncAlg).buildJwt().compact();

But the JwtConsuer API seems pretty lame and only allows to read a token without validation at all.

JwtConsumer.create().createJwt(token);

Signature validation and decryption should be configured through the application server configuration (via "jwtConsumer" and "keystore" entries) but it's not possible programmatically. I should accommodate with this but other validations like expiration date are not possible.

Do I miss something?

jwtopen-liberty


Solution 1:[1]

You're correct in that the JwtConsumer API does not provide a programmatic way to set specific validation requirements. However the JWT will still be validated when createJwt() is called.

The JwtConsumer API's create() and create(String consumerConfigId) methods tie the JwtConsumer object to a <jwtConsumer> element in the server configuration that specifies the validation requirements. The configuration settings for that element can be viewed here: https://openliberty.io/docs/22.0.0.4/reference/config/jwtConsumer.html.

The JwtConsumer.create() method will use the default <jwtConsumer> configuration that is provided automatically by the runtime, which simply looks like this:

<jwtConsumer id="defaultJwtConsumer" />

Similarly, the JwtConsumer.create(String consumerConfigId) would use the configuration with the corresponding ID. So JwtConsumer.create("myJwtConsumer") would use the corresponding "myJwtConsumer" configuration in the server.xml. That could look something like this:

<jwtConsumer id="myJwtConsumer"
    issuer="https://example.com"
    audiences="Luke, Leia, Han"
    signatureAlgorithm="RS256"
    jwkEnabled="true"
    jwkEndpointUrl="https://..."
/>

You'd put whatever validation settings you want in that configuration. Then when you call JwtConsumer.createJwt(token), the runtime will perform several validation checks against the JWT. That includes checking the issuer, audiences, iat and exp times, the nbf claim, and of course the signature of the token.

Solution 2:[2]

To expand on the answer, if a clockSkew is not specified, then a default value of 5 minutes is used. On the other hand, setting clockSkew="0m" will in effect disable the clock skew.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Adam Y
Solution 2 Teddy J. Torres

Related Questions

How to use JWT with WebSocketChannel in Flutter

Spring Security: How to use a UserDetailsService with JwtAuthenticationProvider?

Verify a JWT token string, containing 'Bearer ' with NodeJS

How do I validate a JWT using JwtSecurityTokenHandler and a JWKS endpoint?

.NET core - Configure JWT Authentication at runtime

Is Basic Authentication a Session based authentication and why Jwt is more recommended?

Symfony 6 - lexik JWT - Authenticator does not support the request

Authorization header in img src link

Strapi JWT token lifetime?

jwt.verify not throwing error for expired tokens

Invalid Token Error: Invalid token specified: Cannot read property 'replace' of undefined?

Mixed named and unnamed function parameters

JWT "invalid_grant" in Signature in Google OAuth2

SignalR hub with Bearer authentication

How to reset Laravel AuthManager/guards in between API calls in tests?