I'm currently working on implementing JWT authentication on our backend via microprofile jwt (v1.2) on an Open Liberty server (v22.0.7.). The JWT is issued by a keycloak server.
It seems, I am somewhere mistaken though, because all my API calls return '401 Unauthorized' as soon as I add the RolesAllowed Annotation. And according to traces the principal is null.
My Microprofile properties (sensitive information in [ ]):
mp.jwt.verify.publickey.location=[host]/realms/[realm]/protocol/openid-connect/certs
mp.jwt.verify.issuer=[host]/realms/[realm]
mp.jwt.verify.id=myJWT
mp.jwt.verify.userNameAttribute=upn
mp.jwt.verify.audiences=backend
I also tried:
META-INF/micro-profile.properties:
mp.jwt.verify.publickey.location=[host]/realms/[realm]/protocol/openid-connect/certs
mp.jwt.verify.issuer=[host]/realms/[realm]
server.xml:
<mpJwt
id="myJWT"
userNameAttribute="upn"
audiences="backend"
/>
My Resource class:
@Path("/[path]")
@RolesAllowed({ "Authenticated" })
public class MyResource implements MyApi {
[...]
}
My Application class:
@LoginConfig(authMethod = "MP-JWT")
public class MyApplication extends Application {
}
My token payload:
"exp": 1662994046,
"iat": 1662986846,
"jti": "a0a92213-ae77-43fd-b0b8-8cb2f15524b2",
"iss": "[host]/realms/[realm]",
"aud": [
"backend"
],
"sub": "6194ef8a-dbe2-46fb-aa88-64dd61b4c8bc",
"typ": "Bearer",
"azp": "frontend",
"session_state": "6c60affa-b613-49cd-8e8b-a06b16eb8e61",
"acr": "1",
"scope": "microprofile-jwt",
"sid": "6c60affa-b613-49cd-8e8b-a06b16eb8e61",
"upn": "name",
"groups": [
"Authenticated"
]
}
I also tried the suggestion in Microprofile JWT responding with 401 all the time to no avail.
My API calls are made like normal, with the added Header:
"Authorization: Bearer [token]"
Finally you can find tracing in this pastebin
