https://github.com/entur/jwt-resource-server
OpenID: Client, server and unit-testing support for machine-to-machine calls using access-tokens.
https://github.com/entur/jwt-resource-server
auth0 caching java json-web-token junit5 jwt openid openid-connect spring-boot
Last synced: 3 months ago
JSON representation
OpenID: Client, server and unit-testing support for machine-to-machine calls using access-tokens.
- Host: GitHub
- URL: https://github.com/entur/jwt-resource-server
- Owner: entur
- License: eupl-1.2
- Created: 2019-10-10T11:14:01.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2025-10-16T20:24:45.000Z (3 months ago)
- Last Synced: 2025-10-20T07:58:43.604Z (3 months ago)
- Topics: auth0, caching, java, json-web-token, junit5, jwt, openid, openid-connect, spring-boot
- Language: Java
- Homepage:
- Size: 1.72 MB
- Stars: 46
- Watchers: 19
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE.txt
Awesome Lists containing this project
- awesome-java - JWT Resource Server
README
[](https://mvnrepository.com/artifact/org.entur.jwt-rs)
# jwt-resource-server
Tools for synchronous (servlet-based) __OpenID resource servers__ relying on use of [Access Tokens]([https://auth0.com/docs/tokens/access-tokens](https://auth0.com/docs/tokens/access-tokens)) for authorization. These come in the form of JSON Web Tokens (JWT) issued by Authorization Servers like Auth0 and Keycloak. Authorization Servers __sign JWTs__ with private keys, resource servers then download the corresponding public keys from the Authorization Servers and __validate the JWTs__ by verifying the signature.
## Primer
Technically, this library deals with HTTP requests using the __Authorization__ header. Example HTTP request:
```
GET /some/restricted/service/1
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsI.eyJzdWIIjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpM
```
where the __Base64-encoded value__ is the token itself. For a valid token, the server could process the request and respond:
```
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1024
```
Alternatively, the server might return __HTTP 401 Unauthorized__ if the token was not accepted, or __HTTP 403 Forbidden__ if the token did not contain the enough permissions.
## Overview
Users of this library will benefit from:
* Robust multi-tenant JWT [access-token validation](jwt-server)
* Robust JWT [access-token client](jwt-client)
* Flexible JWT [JUnit 5 test-support](jwt-test)
* [Spring Boot support](jwt-server) for the above
In order to keep complexity (and risk) down, the library wraps existing third party libraries for low-level parsing, signature validation and authorization enforcement. Notable features:
* thread-safe sharing of keys (for signature verification) and access-tokens within each JVM
* proactive background refresh of keys and tokens
* keys and token health status (on last remote invocation)
* annotation-based token mocking with test method signature argument support
* open/closed endpoint filter, so that requests to closed endpoints can be proactively rejected before payload is unmarshalled
Async is not yet supported.
## Project structure
* [jwt-server] - for handling incoming service calls (i.e. in your backend)
* [jwt-client] - for making outgoing service calls (i.e. support for obtaining a token first)
* [jwt-test] - JUnit 5 test support.
* [examples] - Example projects.
See documentation contained in each folder to get started. Or skip right to the [examples](examples).
# License
[European Union Public Licence v1.2](https://eupl.eu/).
[jwk]: jwt-server/jwk
[jwt-verifier]: jwt-server/jwk-verifier
[jwt-server]: jwt-server
[jwt-client]: jwt-client
[jwt-test]: jwt-test
[java-jwt]: https://github.com/auth0/java-jwt
[examples]: examples