Skip to content

Commit 28e147e

Browse files
authored
Fixes #216 - Move current documentation to Antora. (#219)
1 parent f81bbe5 commit 28e147e

11 files changed

Lines changed: 198 additions & 134 deletions

File tree

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,3 +59,6 @@ client/shade/dependency-reduced-pom.xml
5959

6060
# Zanata files
6161
**/.zanata-cache/
62+
63+
# Antora
64+
build

doc/antora-playbook.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# partial playbook just for this project to be able to compile documentation without pushing it to GitHub
2+
# usage: antora generate antora-playbook.yml
3+
site:
4+
title: SmallRye JWT only documentation
5+
start_page: smallrye-jwt::index.adoc
6+
content:
7+
sources:
8+
- url: ..
9+
start_path: doc
10+
branches: HEAD
11+
ui:
12+
bundle:
13+
url: https://github.com/smallrye/smallrye-antora-ui/blob/master/build/ui-bundle.zip?raw=true
14+
snapshot: true

doc/antora.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
name: smallrye-jwt
2+
title: SmallRye JWT
3+
version: master
4+
nav:
5+
- modules/ROOT/nav.adoc

doc/modules/ROOT/nav.adoc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
* xref:index.adoc[Index]
2+
* xref:configuration.adoc[Configuration]
3+
* xref:generate-jwt.adoc[Generate JWT Tokens]
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
:version: 2.1.2-SNAPSHOT
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
:doctype: book
2+
include::attributes.adoc[]
3+
4+
[[configuration]]
5+
6+
= Configuration
7+
8+
== MicroProfile JWT properties
9+
10+
[cols="<m,<m,<2",options="header"]
11+
|===
12+
|Property Name|Default|Description
13+
|mp.jwt.verify.publickey|none|Public Key supplied as a string, parsed from it in the order defined in section <<Supported Public Key Formats>>.
14+
|mp.jwt.verify.publickey.location|none|Config property allows for an external or internal location of Public Key to be specified.
15+
|mp.jwt.verify.issuer|none|Expected value of the JWT `iss` (issuer) claim.
16+
|===
17+
18+
== Supported Public Key Formats
19+
20+
Public Keys may be formatted in any of the following formats, specified in order of
21+
precedence:
22+
23+
- Public Key Cryptography Standards #8 (PKCS#8) PEM
24+
- JSON Web Key (JWK) or JSON Web Key Set (JWKS)
25+
- Base64 URL encoded JSON Web Key (JWK) or JSON Web Key Set (JWKS)
26+
27+
== Smallrye JWT properties
28+
29+
Smallrye JWT supports many properties which can be used to customize the token processing:
30+
31+
[cols="<m,<m,<2",options="header"]
32+
|===
33+
|Property Name|Default|Description
34+
|smallrye.jwt.verify.algorithm|`RS256`|Signature algorithm. Set it to `ES256` to support the Elliptic Curve signature algorithm.
35+
|smallrye.jwt.verify.key-format|`ANY`|Set this property to a specific key format such as `PEM_KEY`, `PEM_CERTIFICATE`, `JWK` or `JWK_BASE64URL` to optimize the way the verification key is loaded.
36+
|smallrye.jwt.token.header|`Authorization`|Set this property if another header such as `Cookie` is used to pass the token.
37+
|smallrye.jwt.token.cookie|none|Name of the cookie containing a token. This property will be effective only if `smallrye.jwt.token.header` is set to `Cookie`.
38+
|smallrye.jwt.always-check-authorization|false|Set this property to `true` for `Authorization` header be checked even if the `smallrye.jwt.token.header` is set to `Cookie` but no cookie with a `smallrye.jwt.token.cookie` name exists.
39+
|smallrye.jwt.token.schemes|`Bearer`|Comma-separated list containing an alternative single or multiple schemes, for example, `DPoP`.
40+
|smallrye.jwt.token.kid|none|Key identifier. If it is set then the verification JWK key as well every JWT token must have a matching `kid` header.
41+
|smallrye.jwt.time-to-live|none|The maximum number of seconds that a JWT may be issued for use. Effectively, the difference between the expiration date of the JWT and the issued at date must not exceed this value.
42+
|smallrye.jwt.require.named-principal|`false`|If an application relies on `java.security.Principal` returning a name then a token must have a `upn` or `preferred_username` or `sub` claim set. Setting this property will result in Smallrye JWT throwing an exception if none of these claims is available for the application code to reliably deal with a non-null `Principal` name.
43+
|smallrye.jwt.path.sub|none|Path to the claim containing the subject name. It starts from the top level JSON object and can contain multiple segments where each segment represents a JSON object name only, example: `realms/subject`. This property can be used if a token has no 'sub' claim but has the subject set in a different claim. Use double quotes with the namespace qualified claims.
44+
|smallrye.jwt.claims.sub|none| This property can be used to set a default sub claim value when the current token has no standard or custom `sub` claim available. Effectively this property can be used to customize `java.security.Principal` name if no `upn` or `preferred_username` or `sub` claim is set.
45+
|smallrye.jwt.path.groups|none|Path to the claim containing the groups. It starts from the top level JSON object and can contain multiple segments where each segment represents a JSON object name only, example: `realm/groups`. This property can be used if a token has no 'groups' claim but has the groups set in a different claim. Use double quotes with the namespace qualified claims.
46+
|smallrye.jwt.groups-separator|' '|Separator for splitting a string which may contain multiple group values. It will only be used if the `smallrye.jwt.path.groups` property points to a custom claim whose value is a string. The default value is a single space because a standard OAuth2 `scope` claim may contain a space separated sequence.
47+
|smallrye.jwt.claims.groups|none| This property can be used to set a default groups claim value when the current token has no standard or custom groups claim available.
48+
|smallrye.jwt.jwks.refresh-interval|60|JWK cache refresh interval in minutes. It will be ignored unless the `mp.jwt.verify.publickey.location` points to the HTTPS URL based JWK set and no HTTP `Cache-Control` response header with a positive `max-age` parameter value is returned from a JWK HTTPS endpoint.
49+
|smallrye.jwt.expiration.grace|60|Expiration grace in seconds. By default an expired token will still be accepted if the current time is no more than 1 min after the token expiry time.
50+
|smallrye.jwt.verify.aud|none|Comma separated list of the audiences that a token `aud` claim may contain.
51+
|smallrye.jwt.required.claims|none|Comma separated list of the claims that a token must contain.
52+
|===
Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
:doctype: book
2+
include::attributes.adoc[]
3+
4+
[[configuration]]
5+
6+
= Generate JWT Tokens
7+
8+
JWT claims can be signed or encrypted or signed first and the nested JWT token encrypted. Signing the claims is used
9+
most often to secure the claims. What is known today as a JWT token is typically produced by signing the claims in a
10+
JSON format using the steps described in the https://tools.ietf.org/html/rfc7515[JSON Web Signature] specification.
11+
However, when the claims are sensitive, their confidentiality can be guaranteed by following the steps described in the
12+
https://tools.ietf.org/html/rfc7516[JSON Web Encryption] specification to produce a JWT token with the encrypted claims.
13+
Finally both the confidentiality and integrity of the claims can be further enforced by signing them first and then
14+
encrypting the nested JWT token.
15+
16+
SmallRye JWT provides an API for securing the JWT claims using all of these options.
17+
18+
== Create JwtClaimsBuilder and set the claims
19+
20+
The first step is to initialize a `JwtClaimsBuilder` using one of the options below and add some claims to it:
21+
22+
[source,java]
23+
----
24+
import java.util.Collections;
25+
import io.smallrye.jwt.build.Jwt;
26+
import io.smallrye.jwt.build.JwtClaimsBuilder;
27+
...
28+
// Create an empty builder and add some claims
29+
JwtClaimsBuilder builder1 = Jwt.claims();
30+
builder1.claim("customClaim", "custom-value").issuer("https://issuer.org");
31+
32+
// Builder created from the existing claims
33+
JwtClaimsBuilder builder2 = Jwt.claims("/tokenClaims.json");
34+
35+
// Builder created from a map of claims
36+
JwtClaimsBuilder builder3 = Jwt.claims(Collections.singletonMap("customClaim", "custom-value"));
37+
----
38+
39+
The API is fluent so the builder initialization can be done as part of the fluent API sequence. The builder will also
40+
set `iat (issued at) to the current time, `exp`(expires at) to 5 minutes away from the current time and `jti`
41+
(unique token identifier) claims if they have not already been set, so one can skip setting them when possible.
42+
43+
The next step is to decide how to secure the claims.
44+
45+
== Sign the claims
46+
47+
The claims can be signed immediately or after the `JSON Web Signature` headers have been set:
48+
49+
[source,java]
50+
----
51+
import io.smallrye.jwt.build.Jwt;
52+
...
53+
54+
// Sign the claims using the private key loaded from the location set with a 'smallrye.jwt.sign.key-location' property.
55+
// No 'jws()' transition is necessary.
56+
String jwt1 = Jwt.claims("/tokenClaims.json").sign();
57+
58+
// Set the headers and sign the claims with an RSA private key loaded in the code (the implementation of this method is omitted). Note a 'jws()' transition to a 'JwtSignatureBuilder'.
59+
String jwt2 = Jwt.claims("/tokenClaims.json").jws().signatureKeyId("kid1").header("custom-header", "custom-value").sign(getPrivateKey());
60+
----
61+
62+
Note the `alg` (algorithm) header is set to `RS256` by default.
63+
64+
== Encrypt the claims
65+
66+
The claims can be encrypted immediately or after the `JSON Web Encryption` headers have been set the same way as they
67+
can be signed. The only minor difference is that encrypting the claims always requires a `jwe() JwtEncryptionBuilder`
68+
transition:
69+
70+
[source,java]
71+
----
72+
import io.smallrye.jwt.build.Jwt;
73+
...
74+
75+
// Encrypt the claims using the public key loaded from the location set with a 'smallrye.jwt.encrypt.key-location' property.
76+
String jwt1 = Jwt.claims("/tokenClaims.json").jwe().encrypt();
77+
78+
// Set the headers and encrypt the claims with an RSA public key loaded in the code (the implementation of this method is omitted).
79+
String jwt2 = Jwt.claims("/tokenClaims.json").jwe().header("custom-header", "custom-value").encrypt(getPublicKey());
80+
----
81+
82+
Note the `alg` (key management algorithm) header is set to `RSA-OAEP-256` (it will be changed to `RSA-OAEP` in a future
83+
version of smallrye-jwt) and the `enc` (content encryption header) is set to `A256GCM` by default.
84+
85+
== Sign the claims and encrypt the nested JWT token
86+
87+
The claims can be signed and then the nested JWT token encrypted by combining the sign and encrypt steps.
88+
89+
[source,java]
90+
----
91+
import io.smallrye.jwt.build.Jwt;
92+
...
93+
94+
// Sign the claims and encrypt the nested token using the private and public keys loaded from the locations set with the 'smallrye.jwt.sign.key-location' and 'smallrye.jwt.encrypt.key-location' properties respectively.
95+
String jwt = Jwt.claims("/tokenClaims.json").innerSign().encrypt();
96+
----

doc/modules/ROOT/pages/index.adoc

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
[[index]]
2+
= SmallRye JWT Documentation
3+
4+
SmallRye JWT is an implementation of https://github.com/eclipse/microprofile-jwt-auth/[Eclipse MicroProfile JWT RBAC].
5+
Currently it is focused on supporting the MP-JWT 1.1 spec, and primarily deals with the parsing of the JWT string into
6+
a JsonWebToken implementation.
7+
8+
In the future, when MP-JWT 2.0 can build on the JSR-375 security APIs, there should be more support for defining the CDI extension and security layer integration.
9+
10+
== Runtimes
11+
12+
Runtimes that currently use it as their JWT RBAC implementation include:
13+
14+
* https://quarkus.io/[Quarkus]
15+
* https://wildfly.org/[WildFly]
16+
* https://thorntail.io/[Thorntail]
17+
18+
== References
19+
20+
* https://github.com/eclipse/microprofile-jwt-auth/[MP JWT]
21+
* https://tools.ietf.org/html/rfc7519[JSON Web Token]
22+
* https://tools.ietf.org/html/rfc7515[JSON Web Signature]
23+
* https://tools.ietf.org/html/rfc7516[JSON Web Encryption]
24+
* https://tools.ietf.org/html/rfc7518[JSON Web Algorithms]

docs/pom.xml

Lines changed: 0 additions & 86 deletions
This file was deleted.

docs/src/main/asciidoc/index.adoc

Lines changed: 0 additions & 47 deletions
This file was deleted.

0 commit comments

Comments
 (0)