Skip to content

guide jwt

devonfw-core edited this page Nov 18, 2022 · 16 revisions
Table of Contents
Warning
Hey there! Seems like you are still using the documentation of our legacy Java repository. Since it won’t be maintained anymore, we recommend you to checkout the new Java page here.

JWT

JWT (JSON Web Token) is an open standard (see RFC 7519) for creating JSON based access tokens that assert some number of claims. With an IT landscape divided into multiple smaller apps you want to avoid coupling all those apps or services tightly with your IAM (Identity & Access Management). Instead your apps simply expects a JWT as bearer-token in the Authorization HTTP header field. All it needs to do for authentication is validating this JWT. The actual authentication is done centrally by an access system (IAM) that authors those JWTs. Therefore we recommend to use strong asymmetric cryptography to sign the JWT when it is authored. Create a keypair per environment and keep the private key as a secret only known to the access system authorizing the JWTs. Your apps only need to know the public key in order to validate the JWT. Any request without a JWT or with an invalid JWT will be rejected (with status code 401).

When using spring check the JWT Spring-Starter. For quarkus follow Using JWT RBAC.

Clone this wiki locally