guide jwt
JWT (JSON Web Token) is an open standard (see RFC 7519) for creating Json based access token that assert some number of claims.
With an IT landscape divided into multiple smaller apps you want to avoid coupling all those apps or services tightly with your IAM (Identity & Access Management).
Instead your apps simply expects a JWT as bearer-token in the Authorization HTTP header field.
All it needs to do for authentication is validating this JWT.
Therefore we recommend to use strong asymmetric cryptography to sign the JWT when it is granted.
Create a keypair per environment and keep the private key as a secret only known to the access system that authorizes the JWTs.
You apps only need to know the public key to validate the JWT.
When using spring check the JWT Spring-Starter. For quarkus follow Using JWT RBAC.
This documentation is licensed under the Creative Commons License (Attribution-NoDerivatives 4.0 International).
