[Apiman-user] Generic JWT plugin policy

Marc Savy marc.savy at redhat.com
Thu Dec 1 11:06:47 EST 2016


Hi,

I just pushed a (very simple) generic JWT plugin policy to master.

To try it out right now you will need to build it. Just check out the
apiman/apiman-plugins repo and execute `mvn clean install`. The plugin
coordinates will be G: io.apiman.plugins A: apiman-plugins-jwt-policy V:
1.2.9-SNAPSHOT.

It isn't yet as feature-rich as the Keycloak plugin, but you can:

- Require JWT.
- Require claims (e.g. sub = foo).
- Require transport security (TLS, SSL).
- Require JWT be cryptographically signed (aka. JWS).
- Validate JWT against a provided public key.
- Remove auth tokens (prevent them reaching the backend).
- Set maximum clock skew.

I'll expand on this shortly to add something that will hopefully add some
commonly-used features from the Keycloak plugin:

- Allow extraction of roles for authorization
- Forward token fields as headers (e.g. X-Sub = sub)

Regards,
Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20161201/639e6c1f/attachment.html 


More information about the Apiman-user mailing list