Consuming JSON Web Tokens in Liberty
You can programmatically verify and parse JSON Web Token (JWT) tokens by configuring the
JWT consumer element in the server configuration and implementing the
com.ibm.websphere.security.jwt.JwtConsumer
and
com.ibm.websphere.security.jwt.JwtToken
APIs in your applications.
In version 22.0.0.13 and later, documentation for the JSON Web Token feature is available on the Open Liberty website.
About this task
When the JSON Web Token feature is enabled, Open Liberty creates a default configuration with the following values.
-
The
alg
header of the consumed JWT is RS256. You can configure this value on thesignatureAlgorithm
attribute. -
A JWT is considered to be valid within 5 minutes of the
exp
,nbf
, andiat
claims. You can configure this value on theclockSkew
attribute.
You can reconfigure these defaults by specifying a jwtConsumer
element with an
id
value of defaultJWTConsumer
and configuring attribute values.
You can also create one or more other jwtConsumer
elements. Each
jwtConsumer
element must have a unique, URL-safe string specified as the
id
attribute value. If the id
value is missing, the
jwtConsumer
is not processed. For more information about the available
configuration attributes, see JWT Consumer (jwtConsumer).
For information about JWT APIs, see the JSON Web Token Java documentation or the API documentation included in the product in the ${wlp.install.dir}/dev directory.