I would like to protect my Rest API with Microprofile JWT. My app run on OpenLiberty 23.0.0.6 and I'm using mpJWT-1.2 feature.
When I have a group claim in my token and I set a @RolesAllowed annotation on my API, token validation work as expected :
- if there is not token in the request, the request is rejected
- if the token is not valid, the request is rejected
- if the token does not contain the required group, the request is rejected
- otherwise, the request is accepted
So, everything seems correctly configured.
But, I don't want to specify a role on my API because authorization is managed differently and in the real world my token does not have any "group" claim neither one containing a role or similar.
I just want that the application server check (validate) the token for all exposed Rest API.
I've tried to add @LoginConfig annotation on my Application Class as the documentation says :
It’s intended usage is to mark a JAX-RS Application as requiring MicroProfile JWT RBAC as shown in the following sample
I was expecting that this will enable by default the verification of a JWT token on all endpoint. But if I do not set @RolesAllowed annotation, nothing happens.
Is it possible to accomplish what I want or Micropfile JWT is really tied to @RolesAllowed annotation and is only triggered if this annotation is present ? The specifications does not seems very clear to me on this point.
Duplicate of Authenticate all OpenLiberty end-points through JWT
We came to the same conclusion : there is no way to achieve this only with Microprofile JWT. The best way is to implement a filter to validate the token.
This answer is a good reference to do that : How to implement REST token-based authentication with JAX-RS and Jersey