In order to work, this application requires an STS (Secure Token Service) capable of generating signed JWT tokens. This is what the Tribestream API Gateway is about. It’s also capable of doing routing and while enforcing permissions. If you want to know more, check out the website at https://tribestream.io
The best and simplest way to start the API Gateway is to use Docker as follow
docker run --rm -it --name tag -e LICENSE=accept -e CASSANDRA_EMBEDDED=true -p 8080:8080 tomitribe/tribestream-api-gateway:latest
Once the Tribestream API Gateway is up and running, you can connect to the console with the following URL http://localhost:8080/tag/
You will need to checkout the source locally and then build the project. Here are the steps
git clone https://github.com/tomitribe/oauth2-jwt-custom-claims.git cd oauth2-jwt-custom-claims
To ease configuration, this project comes with necessary configuration and scripts to load the configuration of the API Gateway. You can also navigate through the UI and do it yourself.
But as a faster solution, run the following commands
cd src/main/scripts ./load-configuration.sh
|you need to make sure you first started the API Gateway with the previous step.|
Next step consists in starting the demo application. From the project root directory, run the following command.
mvn clean install -DskipTests tomee:run
It should start on port 8181 so it does not clash with the Gateway So what you need is to open a browser and navigate to http://localhost:8181/moviefun/
There are 4 accounts created with the import scripts (See step 2).
alex/password with create, update and delete role
john/password with create role
nick/password with delete role
mark/password with update role
As soon as you get in the application using one of these accounts, checkout the HTTP requests from the application to the remote server. If you are using the Chrome browser, you can open up the developer tools.
You should be able to see an authorization header with the JWT obtained from the API Gateway.
Once you have it, go to http://jwt.io to decode the JWT and see the content.
There should be a claim named
aud and containing
This is a custom claim configured in the API Gateway and using an endpoint from the application.
The source code of the endpoint is available under
If now you want to return actual business data, change the code to return something else and restart the tomee server (see command above).
When done, logout and login again in the application and decode the new JWT.
You should see the updated
Go to the following page http://localhost:8080/tag/claim-source/movies-claims-source You will see the configuration for the claim source. It is using an API Connection. Click the link if you want to see the definition of the API Connection.
When you are on the API Claim Source definition, click the 3 dots at the top right of the page.
There is a link
The dialog opens and allows you to simulate an OAuth2 grant.
password for the grant type input and enter a valid username (see above for the list).
Bellow, you should all the details and the returned data for the specified user. This is particularly useful if you want to change the resource endpoint and see the result.