public final class JwtAuthenticationConfig extends AuthenticationConfig<BearerCredential,JwtPrincipal>
JwtAuthenticator
instance.
JwtAuthenticator
instances have two primary responsibilities:
1. Manage Issuer public key material.
2. Decode JsonWebSignature
tokens and validate their claims.
Key material handling is performed by the JwtAuthenticator
VerificationKeyResolver
.
Each JwtIssuer
must be provided a name which should be the URL of the JWT issuing authority.
There are exceptions to this rule so any string value will do as long as it matches the incoming JWT iss claim value.
There may be certain scenarios where JwtAuthenticator
may want to take some action in an Issuer agnostic
manner. One such use cases would be to forward the token to another trusted service for validation.
In order to support this use case register a JwtIssuer
with the name '*'.
This will act as a catchall for any unrecognized issuer.
Token verification may be restricted to a specific set of keys by setting the AlgorithmWhitelist
parameter.
SignatureAlgorithm.RS256
and SignatureAlgorithm.ES256
are whitelisted by default.
{@link JwtIssuer} for additional configuration property documentation.
Stand alone configuration example:
{@code kind: {@link AuthenticationConfig.Kind#JWT} issuers: - name: https://example.com/v1/identity/oidc verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerJwks jwksUri: https://example.com/v1/identity/oidc/.well-known/keys audience: - C82RLLokthIFn4v4sDYKpJbksC - z2OPfk0pavN7Xj0UElTUaR1Xqt - name: Confluent verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerJku domainWhitelist: - devel.cpdev.cloud - stag.cpdev.cloud - .gcp.priv.cpdev.cloud - name: pemFactory verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerStatic pems: - |- -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuI4GHxaqm3JhiWY1y+7d Cr/WyYqg7cABHWuw9TawYU24BlfTyfwJiAOZwJszikTv92dfCG0rbOdrKkAaqHxd 3M5csla5/b3XKwCDoqzhL0odhFDnPvUlhRhtyw/19kNSuntsiQFOnhaaURqT4M18 73T4SMzJVq4N4CtQNKTjCSBoFvBpMZHR25+ERT0Y91IfuEFJSPzZLL9vz2sWltHj szyJ0jSxmunv32K6/nEUHLc1iLKo5IIXaYWwqjUbeD39JDt6HCoyJsh5ohuiqChH /ws5AYoupbKX3uohf+/DHbALLmd48TfAPN9+3WzeVKFB7pBLHt2hSLkKd2UUxXNi WuPBuonEJ48JlFvZCg9/KbgcxDRkyXrKRDMJP3vu5z6nJbRe7tQpxS2pbdLysNr3 J/TorJf9oW9Mlx8L0693GYjOSUtckni3BL3LWHukXia4/blik0JdvMsdCpEaE0IB YzlMmVut/8v7yav+flTYLcqgZm8RjQk5M+nMaj+UR60CRmxgARX9Plg0yH3aUX1u rS8G/tU8P/mF2RIPiyPrP6RRpoJrDgzaS4AfjuYjnLYZiWhXxl/Nq1yvkNVUmgjq egCaDOQYgEYeLgULmnfiYbwhpMlW4ZPdDoY/d2ExCPVSM/iNxiiE26i4ZzFWsK3W QQYdbfhQjDABjEfpYiDTZ4UCAwEAAQ== -----END PUBLIC KEY----- - |- -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuI4GHxaqm3JhiWY1y+7d Cr/WyYqg7cABHWuw9TawYU24BlfTyfwJiAOZwJszikTv92dfCG0rbOdrKkAaqHxd 3M5csla5/b3XKwCDoqzhL0odhFDnPvUlhRhtyw/19kNSuntsiQFOnhaaURqT4M18 73T4SMzJVq4N4CtQNKTjCSBoFvBpMZHR25+ERT0Y91IfuEFJSPzZLL9vz2sWltHj szyJ0jSxmunv32K6/nEUHLc1iLKo5IIXaYWwqjUbeD39JDt6HCoyJsh5ohuiqChH /ws5AYoupbKX3uohf+/DHbALLmd48TfAPN9+3WzeVKFB7pBLHt2hSLkKd2UUxXNi WuPBuonEJ48JlFvZCg9/KbgcxDRkyXrKRDMJP3vu5z6nJbRe7tQpxS2pbdLysNr3 J/TorJf9oW9Mlx8L0693GYjOSUtckni3BL3LWHukXia4/blik0JdvMsdCpEaE0IB YzlMmVut/8v7yav+flTYLcqgZm8RjQk5M+nMaj+UR60CRmxgARX9Plg0yH3aUX1u rS8G/tU8P/mF2RIPiyPrP6RRpoJrDgzaS4AfjuYjnLYZiWhXxl/Nq1yvkNVUmgjq egCaDOQYgEYeLgULmnfiYbwhpMlW4ZPdDoY/d2ExCPVSM/iNxiiE26i4ZzFWsK3W QQYdbfhQjDABjEfpYiDTZ4UCAwEAAQ== -----END PUBLIC KEY----- # * must be escaped or quoted! - name: '*' verificationType: customForwardingVerifier }Embedded configuration example:
{@code ... authentication: kind: {@link AuthenticationConfig.Kind#JWT} issuers: - name: https://example.com/v1/identity/oidc verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerJwks jwksUri: https://example.com/v1/identity/oidc/.well-known/keys audience: - C82RLLokthIFn4v4sDYKpJbksC - z2OPfk0pavN7Xj0UElTUaR1Xqt - name: Confluent verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerJku domainWhitelist: - devel.cpdev.cloud - stag.cpdev.cloud - .gcp.priv.cpdev.cloud - name: pemFactory verificationType: static pems: - |- -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuI4GHxaqm3JhiWY1y+7d Cr/WyYqg7cABHWuw9TawYU24BlfTyfwJiAOZwJszikTv92dfCG0rbOdrKkAaqHxd 3M5csla5/b3XKwCDoqzhL0odhFDnPvUlhRhtyw/19kNSuntsiQFOnhaaURqT4M18 73T4SMzJVq4N4CtQNKTjCSBoFvBpMZHR25+ERT0Y91IfuEFJSPzZLL9vz2sWltHj szyJ0jSxmunv32K6/nEUHLc1iLKo5IIXaYWwqjUbeD39JDt6HCoyJsh5ohuiqChH /ws5AYoupbKX3uohf+/DHbALLmd48TfAPN9+3WzeVKFB7pBLHt2hSLkKd2UUxXNi WuPBuonEJ48JlFvZCg9/KbgcxDRkyXrKRDMJP3vu5z6nJbRe7tQpxS2pbdLysNr3 J/TorJf9oW9Mlx8L0693GYjOSUtckni3BL3LWHukXia4/blik0JdvMsdCpEaE0IB YzlMmVut/8v7yav+flTYLcqgZm8RjQk5M+nMaj+UR60CRmxgARX9Plg0yH3aUX1u rS8G/tU8P/mF2RIPiyPrP6RRpoJrDgzaS4AfjuYjnLYZiWhXxl/Nq1yvkNVUmgjq egCaDOQYgEYeLgULmnfiYbwhpMlW4ZPdDoY/d2ExCPVSM/iNxiiE26i4ZzFWsK3W QQYdbfhQjDABjEfpYiDTZ4UCAwEAAQ== -----END PUBLIC KEY----- - |- -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuI4GHxaqm3JhiWY1y+7d Cr/WyYqg7cABHWuw9TawYU24BlfTyfwJiAOZwJszikTv92dfCG0rbOdrKkAaqHxd 3M5csla5/b3XKwCDoqzhL0odhFDnPvUlhRhtyw/19kNSuntsiQFOnhaaURqT4M18 73T4SMzJVq4N4CtQNKTjCSBoFvBpMZHR25+ERT0Y91IfuEFJSPzZLL9vz2sWltHj szyJ0jSxmunv32K6/nEUHLc1iLKo5IIXaYWwqjUbeD39JDt6HCoyJsh5ohuiqChH /ws5AYoupbKX3uohf+/DHbALLmd48TfAPN9+3WzeVKFB7pBLHt2hSLkKd2UUxXNi WuPBuonEJ48JlFvZCg9/KbgcxDRkyXrKRDMJP3vu5z6nJbRe7tQpxS2pbdLysNr3 J/TorJf9oW9Mlx8L0693GYjOSUtckni3BL3LWHukXia4/blik0JdvMsdCpEaE0IB YzlMmVut/8v7yav+flTYLcqgZm8RjQk5M+nMaj+UR60CRmxgARX9Plg0yH3aUX1u rS8G/tU8P/mF2RIPiyPrP6RRpoJrDgzaS4AfjuYjnLYZiWhXxl/Nq1yvkNVUmgjq egCaDOQYgEYeLgULmnfiYbwhpMlW4ZPdDoY/d2ExCPVSM/iNxiiE26i4ZzFWsK3W QQYdbfhQjDABjEfpYiDTZ4UCAwEAAQ== -----END PUBLIC KEY----- ... }
Modifier and Type | Class and Description |
---|---|
static class |
JwtAuthenticationConfig.Builder |
AuthenticationConfig.Kind
Modifier and Type | Method and Description |
---|---|
Set<SignatureAlgorithm> |
algorithmWhitelist() |
static JwtAuthenticationConfig.Builder |
builder() |
Authenticator<BearerCredential,JwtPrincipal> |
createAuthenticator()
Creates a new
Authenticator instance. |
List<JwtIssuer> |
issuers()
List of
JwtIssuer s registered with this JwtAuthenticator . |
AuthenticationConfig.Kind |
kind()
Describes the
AuthenticationConfig implementation. |
public AuthenticationConfig.Kind kind()
AuthenticationConfig
implementation.kind
in class AuthenticationConfig<BearerCredential,JwtPrincipal>
AuthenticationConfig.Kind
public Set<SignatureAlgorithm> algorithmWhitelist()
public List<JwtIssuer> issuers()
JwtIssuer
s registered with this JwtAuthenticator
.List
public Authenticator<BearerCredential,JwtPrincipal> createAuthenticator()
Authenticator
instance.createAuthenticator
in class AuthenticationConfig<BearerCredential,JwtPrincipal>
Authenticator
public static JwtAuthenticationConfig.Builder builder()