OAuth 2.0 with JWT and Custom Claims

Introduction

Learning objectives

  • Authenticate users with the Tribestream API Gateway

  • Add business data as custom claims into the JWT

Prerequisites

Starting the Tribestream API Gateway

In order to work, this application requires an STS (Secure Token Service) capable of generating signed JWT tokens. This is what the Tribestream API Gateway is about. It’s also capable of doing routing and while enforcing permissions. If you want to know more, check out the website at https://tribestream.io

The best and simplest way to start the API Gateway is to use Docker as follow

docker run --rm -it --name tag -e LICENSE=accept -e CASSANDRA_EMBEDDED=true -p 8080:8080 tomitribe/tribestream-api-gateway:latest

Once the Tribestream API Gateway is up and running, you can connect to the console with the following URL http://localhost:8080/tag/

Build the project

You will need to checkout the source locally and then build the project. Here are the steps

git clone https://github.com/tomitribe/oauth2-jwt-custom-claims.git
cd oauth2-jwt-custom-claims

Populating and configuring the Tribestream API Gateway

To ease configuration, this project comes with necessary configuration and scripts to load the configuration of the API Gateway. You can also navigate through the UI and do it yourself.

But as a faster solution, run the following commands

cd src/main/scripts
./load-configuration.sh
Note
you need to make sure you first started the API Gateway with the previous step.

Starting the movie chat application

Next step consists in starting the demo application. From the project root directory, run the following command.

mvn clean install -DskipTests tomee:run

It should start on port 8181 so it does not clash with the Gateway So what you need is to open a browser and navigate to http://localhost:8181/moviefun/

There are 4 accounts created with the import scripts (See step 2).

  • alex/password with create, update and delete role

  • john/password with create role

  • nick/password with delete role

  • mark/password with update role

As soon as you get in the application using one of these accounts, checkout the HTTP requests from the application to the remote server. If you are using the Chrome browser, you can open up the developer tools.

You should be able to see an authorization header with the JWT obtained from the API Gateway. Once you have it, go to http://jwt.io to decode the JWT and see the content. There should be a claim named aud and containing [\"microprofile\",\"jwt\",\"tomee\"].

This is a custom claim configured in the API Gateway and using an endpoint from the application. The source code of the endpoint is available under src/main/java/org/superbiz/moviefun/claims/MovieClaimsSourceResource.

If now you want to return actual business data, change the code to return something else and restart the tomee server (see command above). When done, logout and login again in the application and decode the new JWT. You should see the updated aud claim.

Testing your claim source changes from the UI

Go to the following page http://localhost:8080/tag/claim-source/movies-claims-source You will see the configuration for the claim source. It is using an API Connection. Click the link if you want to see the definition of the API Connection.

When you are on the API Claim Source definition, click the 3 dots at the top right of the page. There is a link Test

The dialog opens and allows you to simulate an OAuth2 grant. Select password for the grant type input and enter a valid username (see above for the list). Finally, click TEST.

Bellow, you should all the details and the returned data for the specified user. This is particularly useful if you want to change the resource endpoint and see the result.