In this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.

1. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
Stateless Microservice Security
with MicroProfile JWT
David Blevins
Tomitribe

2. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC Focus Areas
• Theory of OAuth 2.0
• Introduction of JWT
• MicroProfile JWT

3. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
JWTs are Japanese

4. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC Co-Inventor

5. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
OAuth 2.0
+
JSon Web Tokens (JWT)

6. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC JSon Web Token
• Pronounced “JOT”
• Fancy JSON map
• Base64 URL Encoded
• Digitally Signed (RSA-SHA256, HMAC-SHA512, etc)
• Built-in expiration

7. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC JSON Web Token (encoded)
• eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi
10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb
m9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRw
czovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2tlbiI
sInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaW
VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O
TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz
IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8
DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta
Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0
98ocefuv08TdzRxqYoEqYNo

8. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC • { "alg": “RS256", "typ": “JWT" }
• {
"token-type": "access-token",
"username": "snoopy",
"animal": "beagle",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": [
“twitter”, "mans-best-friend"
],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
• DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv
0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzl
LJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo

9. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
How Do You Get a JWT?

10. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC OAuth 2 - Password Grant
(LDAP)
(Token ID Store)
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM
i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0
LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M
TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ
9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8
OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO
EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh
VDaiqmhct098ocefuv08TdzRxqYoEqYNo",
"expires_in":3600,
"refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL",
}

11. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
Inside the OAuth 2.0 Server

12. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
(LDAP)
Verify Password
with LDAP
or Database

13. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
(LDAP)
Pull User Info
From LDAP
or Database

14. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
(LDAP)
Format the data
as JSON Map

15. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
(LDAP)
RSA-SHA 256
sign JSON private

16. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
(LDAP)
Insert only
pointer
into DB
(for revocation)

17. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
(LDAP)
Send Access Token (state)
to client

18. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
Client Holds State Server Holds Pointer
Desired
Results

19. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
Using a JWT

20. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC REST Request secured with JWT
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR
va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ
iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy
ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl
6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ
vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}

21. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC OAuth 2 + JWT
OAuth 2
(LDAP)
backend
Token
Signature
Verification
(private key)
✔

22. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
Refreshing a JWT

23. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC OAuth 2 - Refresh Grant
(LDAP)
(Token Store)
Verify
Password
Generate
Token
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"6Fe4jd7TmdE5yW2q0y6W2w",
"expires_in":3600,
"refresh_token":"hyT5rw1QNh5Ttg2hdtR54e",
}

24. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
Impact on the Backend

25. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC Password Seen Once
Password Sent
(one time)
OAuth 2
(LDAP)
(private key)
backend

26. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC CPU + Memory
Tokens Sent
(every request)
Password Sent
(one time)
OAuth 2
(LDAP)
Token
Signature
Verification
(private key)
backend

27. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC CPU + Memory
Tokens Sent
(every request)
Password Sent
(one time)
OAuth 2
(LDAP)
Token
Signature
Verification
(private key)
backend

28. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC Secure Backend
Tokens Sent
(every request)
Password Sent
(one time)
OAuth 2
(LDAP)
Token
Signature
Verification
(private key)
Previously Unsafe
backend

29. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC Every Microservice Has the Public Key

30. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
“Hey, give me all
of Joe’s salary
information.”
“Not a chance!”
Every Microservice Has the Gateway's Public Key
Rejected - No JWT

31. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
Every Microservice Has the Gateway's Public Key
“Hey, give me all
of Joe’s salary
information.”
joe
Pass the JWT!

32. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
Every Microservice Has the Gateway's Public Key
✔
“Hey, give me all
of Joe’s salary
information.”
joe

33. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
✔
Every Microservice Has the Gateway's Public Key
“Hey, give me all
of Joe’s salary
information.”

34. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
✔
Every Microservice Has the Gateway's Public Key
“Hey, give me all
of Joe’s salary
information.”

35. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
Every Microservice Has the Gateway's Public Key
✔
“Hey, give me all
of Joe’s salary
information.”

36. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
Every Microservice Has the Gateway's Public Key
✔
“Hey, give me all
of Joe’s salary
information.”
“Sure thing!”

37. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
What is MicroProfile JWT?

38. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC This Part...
Tokens Sent
(every request)
Password Sent
(one time)
OAuth 2
(LDAP)
backend
Token
Signature
Verification
(private key)
(public key)
Token
Signature
Verification

39. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC MicroProfile JWT
• Validation of JWTs
• authentication (401)
• authorization (403)
• Configuration of Public Keys
• Java API for JWTs

40. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC The "JJUG" Feature :)

41. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC Very Small.. Very Simple.
org.eclipse.microprofile.auth.LoginConfig
org.eclipse.microprofile.jwt.Claim
org.eclipse.microprofile.jwt.ClaimLiteral
org.eclipse.microprofile.jwt.Claims
org.eclipse.microprofile.jwt.ClaimValue
org.eclipse.microprofile.jwt.config.Names
org.eclipse.microprofile.jwt.JsonWebToken

42. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC The Most Important
org.eclipse.microprofile.auth.LoginConfig
org.eclipse.microprofile.jwt.Claim
org.eclipse.microprofile.jwt.JsonWebToken

43. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC @LoginConfig
import org.eclipse.microprofile.auth.LoginConfig;
import javax.ws.rs.ApplicationPath;
import javax.ws.rs.core.Application;
@ApplicationPath("/api")
@LoginConfig(authMethod = "MP-JWT")
public class Api extends Application {
}

44. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC @Claim
@Path("/movies")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@RequestScoped
public class MovieService {
@Inject
@Claim("email")
private String email;

45. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC JsonWebToken
import org.eclipse.microprofile.jwt.JsonWebToken;
@Path("/movies")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@RequestScoped
public class MovieService {
@Inject
private JsonWebToken jsonWebToken;

46. #MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC
What is MicroProfile JWT not?

47. @dblevins @tomitribe#MicroProfileJWT @dblevins @tomitribegithub.com/tomitribe/jjugccc2019
JJUGCCC MicroProfile JWT is not
• Creation of JWTs
• Login with the Browser
• Database of Users
• Holder of Private Keys
• API Gateway

48. Thank You
Slides and Resources
https://github.com/tomitribe/jjugccc2019
#MicroProfileJWT