From cdbb024ff8be6ffeacb4a9cc8f4a2d64faa2c4c8 Mon Sep 17 00:00:00 2001 From: David Kral Date: Tue, 10 Oct 2023 12:59:44 +0200 Subject: [PATCH] JWT Auth configuration properties updated Signed-off-by: David Kral --- docs/config/io_helidon_microprofile_jwt.adoc | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/docs/config/io_helidon_microprofile_jwt.adoc b/docs/config/io_helidon_microprofile_jwt.adoc index e74657a396c..6eddb687e32 100644 --- a/docs/config/io_helidon_microprofile_jwt.adoc +++ b/docs/config/io_helidon_microprofile_jwt.adoc @@ -18,9 +18,11 @@ // MANUALLY CREATED DOC +ifndef::rootdir[:rootdir: {docdir}/..] :description: Configuration of io.helidon.microprofile.jwt -:keywords: helidon, config, health +:keywords: helidon, security, jwt, microprofile :basic-table-intro: The table below lists the configuration keys that configure io.helidon.microprofile.jwt.adoc +include::{rootdir}/includes/attributes.adoc[] = JWT Configuration @@ -36,12 +38,20 @@ |key |type |default value |description |`mp.jwt.verify.publickey` |string |{nbsp} |The property allows the Public Verification Key text itself to be supplied as a string. -|`mp.jwt.verify.publickey.location` |string |{nbsp} | The property allows for an external or internal location of Public Verification Key to be specified. The value may be a relative path or a URL. +|`mp.jwt.verify.publickey.location` |string |{nbsp} |The property allows for an external or internal location of Public Verification Key to be specified. The value may be a relative path or a URL. |`mp.jwt.verify.publickey.algorithm` |string |{nbsp} |The configuration property allows for specifying which Public Key Signature Algorithm is supported by the MP JWT endpoint. This property can be set to either `RS256` or `ES256`. Default value is `RS256`. Support for the other asymmetric signature algorithms such as `RS512`, `ES512` and others is optional. +|`mp.jwt.verify.issuer` |string |{nbsp} |Configuration key for expected issuer of incoming tokens. +|`mp.jwt.verify.audiences` |string |{nbsp} |Configuration key for expected audiences of incoming tokens. +|`mp.jwt.verify.token.age` |int |{nbsp} |Max number of seconds since token issue time. If this number of second accedes configured value, validation will fail. +|`mp.jwt.verify.clock.skew` |int |{nbsp} |Number of seconds for the clock skew during the token age verification and expiry. +|`mp.jwt.token.cookie` |string |{nbsp} |Cookie property name which is expected to contain a JWT token. +|`mp.jwt.token.header` |string |{nbsp} |Header name which is expected to contain a JWT token. +|`mp.jwt.decrypt.key.location` |string |{nbsp} |The property allows for an external or internal location of Private Decryption Key to be specified. The value may be a relative path or a URL. +|`mp.jwt.decrypt.key.algorithm` |string |{nbsp} |The configuration property allows for specifying which key management algorithm is supported by the MP JWT endpoint. Supported algorithms are either `RSA-OAEP` or `RSA-OAEP-256`. If no algorithm is set, both algorithms must be accepted. |=== -.Optional configuration options: +.Helidon configuration options: [cols="3,3,2,5a"] |=== @@ -55,13 +65,13 @@ an important distinction when more than one provider is used |`atn-token` |string |{nbsp} |A group for configuring authentication of the request |`atn-token.verify-signature`|boolean |`true` |Whether to verify signature in incoming JWT. If disabled, _ANY_ JWT will be accepted |`atn-token.jwt-audience`|string |{nbsp} |Expected audience of the JWT. If not defined, any audience is accepted (and we may accept JWT not inteded for us) -|`atn-token.jwk.resource.*`|string |{nbsp} |Configuration of the JWK to obtain key(s) to validate signatures of inbound token. The JWK should contain public keys. This may be: jwk.resource.path, jwk.resource.resource-path, jwk.resource.url, jwk.resource.content-plain (actual JSON string), jwk.resource.content (base64) +|`atn-token.jwk.resource`|xref:{rootdir}/config/io_helidon_common_configurable_Resource.adoc[Resource] |{nbsp} |Configuration of the JWK to obtain key(s) to validate signatures of inbound token. The JWK should contain public keys. |`atn-token.handler`|string |`Authorization` header with `bearer ` prefix |A handler configuration for inbound token - e.g. how to extract it |`atn-token.handler.header`|string |{nbsp} |Name of a header the token is expected in |`atn-token.handler.prefix`|string |{nbsp} |Prefix before the token value (optional) |`atn-token.handler.regexp`|string |{nbsp} |Regular expression to obtain the token, first matching group is used (optional) |`sign-token`|string |{nbsp} |A group for configuring outbound security -|`sign-token.jwk.resource.*` |{nbsp} |Configuration of the JWK to use when generating tokens (follows same rules as atn-token.jwk above), this JWK must contain private keys when using asymmetric ciphers +|`sign-token.jwk.resource`|xref:{rootdir}/config/io_helidon_common_configurable_Resource.adoc[Resource] |{nbsp} |Configuration of the JWK to use when generating tokens (follows same rules as atn-token.jwk above), this JWK must contain private keys when using asymmetric ciphers |`sign-token.jwt-issuer`|string |{nbsp} |When we issue a new token, this is the issuer to be placed into it (validated by target service) |`sign-token.outbound`|string |{nbsp} |A group for configuring outbound rules (based on transport, host and.or path) |`sign-token.outbound.*.name`|string |{nbsp} |A short descriptive name for configured target service(s)