A comprehensive JWT authentication and authorization library for the Structures framework.
The Structures Auth library provides JWT token management, OIDC integration, and authorization services for Spring Boot applications. It follows the standard Structures library conventions and integrates seamlessly with the broader Structures ecosystem.
- JWT Token Management: Create, validate, and parse JWT tokens
- OIDC Integration: OpenID Connect authentication support
- Authorization Services: Role-based access control and permission management
- Spring Boot Auto-Configuration: Automatic configuration for Spring Boot applications
- Security Best Practices: Secure token handling and validation
- JJWT: JWT token creation and validation
- Jackson: JSON processing for token claims
- Continuum Core: Framework integration
- Spring Boot: Auto-configuration and dependency injection
implementation project(':structures-auth')The library automatically configures OIDC security when the oidc-security-service.enabled property is set to true. No additional annotations are required.
@SpringBootApplication
public class MyApplication {
public static void main(String[] args) {
SpringApplication.run(MyApplication.class, args);
}
}oidc-security-service:
enabled: true
debug: false
tenant-id-field-name: "tenantId"
frontend-configuration-path: "/app-config.override.json"
oidc-providers:
- provider: "keycloak"
display-name: "Keycloak"
enabled: true
client-id: "structures-client"
authority: "http://localhost:8888/auth/realms/test"
redirect-uri: "http://localhost:5173/login"
post-logout-redirect-uri: "http://localhost:5173"
silent-redirect-uri: "http://localhost:5173/login/silent-renew"
domains:
- "example.com"
audience: "structures-client"
roles-claim-path: "realm_access.roles"
additional-scopes: "groups"@Service
public class MyService {
@Autowired
private SecurityService securityService;
public void processRequest(HttpServletRequest request) {
// OIDC token validation is automatic
String userId = securityService.getCurrentUserId();
Set<String> roles = securityService.getCurrentUserRoles();
if (roles.contains("admin")) {
// Perform admin operations
}
}
}The library provides sensible defaults but can be customized through Spring Boot configuration properties:
oidc-security-service:
enabled: true
debug: false
tenant-id-field-name: "tenantId"
frontend-configuration-path: "/app-config.override.json"
oidc-providers:
- provider: "keycloak"
display-name: "Keycloak"
enabled: true
client-id: "structures-client"
authority: "http://localhost:8888/auth/realms/test"
redirect-uri: "http://localhost:5173/login"
post-logout-redirect-uri: "http://localhost:5173"
silent-redirect-uri: "http://localhost:5173/login/silent-renew"
domains:
- "example.com"
audience: "structures-client"
roles-claim-path: "realm_access.roles"
additional-scopes: "groups"
- provider: "okta"
display-name: "Okta"
enabled: true
client-id: "your-okta-client-id"
authority: "https://your-okta-domain.okta.com/oauth2/default"
redirect-uri: "http://localhost:5173/login"
post-logout-redirect-uri: "http://localhost:5173"
silent-redirect-uri: "http://localhost:5173/login/silent-renew"
domains:
- "yourcompany.com"
audience: "your-okta-client-id"
roles-claim-path: "roles"
additional-scopes: "groups"getCurrentUserId(): Gets the current authenticated user IDgetCurrentUserRoles(): Gets all roles for the current userhasRole(String role): Checks if the current user has a specific rolehasAnyRole(Set<String> roles): Checks if the current user has any of the specified rolesisAuthenticated(): Checks if the current user is authenticatedgetCurrentUserClaims(): Gets all claims for the current user
- Automatic JWT Validation: JWT tokens are automatically validated on each request
- Multi-Provider Support: Support for multiple OIDC providers simultaneously
- JWKS Caching: Efficient JSON Web Key Set caching for performance
- Role Extraction: Automatic role extraction from JWT claims
| Property | Type | Default | Description |
|---|---|---|---|
enabled |
boolean | false |
Master switch for OIDC security service |
debug |
boolean | false |
Enable debug logging and UI debugging |
tenant-id-field-name |
string | "tenantId" |
JWT claim field name for tenant ID |
frontend-configuration-path |
string | "/app-config.override.json" |
Path for frontend configuration overrides |
oidc-providers |
array | [] |
List of OIDC provider configurations |
| Property | Type | Required | Description |
|---|---|---|---|
provider |
string | Yes | Unique identifier for the provider |
display-name |
string | Yes | Human-readable provider name |
enabled |
boolean | Yes | Enable/disable this specific provider |
client-id |
string | Yes | OAuth client ID from the provider |
authority |
string | Yes | OIDC issuer authority URL |
redirect-uri |
string | Yes | OAuth redirect URI after authentication |
post-logout-redirect-uri |
string | Yes | Redirect URI after logout |
silent-redirect-uri |
string | Yes | URI for silent token renewal |
domains |
array | Yes | Email domains this provider handles |
audience |
string | Yes | Expected audience claim in JWT tokens |
roles-claim-path |
string | No | JSON path to roles claim in JWT |
additional-scopes |
string | No | Additional OAuth scopes to request |
roles |
array | No | Default roles for this provider |
metadata |
object | No | Additional provider metadata |
- JWT Validation: All JWT tokens are automatically validated for signature, expiration, and claims
- Issuer Verification: Only tokens from configured, trusted issuers are accepted
- Audience Validation: Tokens must have valid audience claims for your application
- Role-Based Access: Implement role-based access control using extracted JWT claims
- HTTPS Required: Always use HTTPS in production for secure token transmission
- Token Storage: Store tokens securely in memory, never in localStorage or cookies
- Regular Updates: Keep OIDC provider configurations and JWKS endpoints up to date
The library includes comprehensive tests:
./gradlew :structures-auth:test- Follow the existing code conventions
- Add tests for new functionality
- Update documentation as needed
- Ensure security best practices are followed
- Test with multiple OIDC providers
- Validate JWT token handling thoroughly
- Automatically extracts JWT tokens from
Authorization: Bearer <token>headers - Supports both access tokens and ID tokens
- Validates JWT signature using JWKS from the issuer
- Verifies issuer against configured OIDC providers
- Checks audience claims against provider configuration
- Validates token expiration
- Creates
Participantobjects from JWT claims - Extracts user information (email, name, roles)
- Maps email domains to appropriate OIDC providers
- Applies role-based access control
- Serves configuration overrides at
/app-config.override.json - Enables dynamic frontend configuration without rebuilds
- Supports runtime provider enable/disable
oidc-security-service:
enabled: true
oidc-providers:
- provider: "keycloak"
display-name: "Keycloak"
enabled: true
client-id: "structures-client"
authority: "http://localhost:8888/auth/realms/test"
redirect-uri: "http://localhost:5173/login"
post-logout-redirect-uri: "http://localhost:5173"
silent-redirect-uri: "http://localhost:5173/login/silent-renew"
domains:
- "example.com"
audience: "structures-client"
roles-claim-path: "realm_access.roles"oidc-security-service:
enabled: true
oidc-providers:
- provider: "okta"
display-name: "Okta"
enabled: true
client-id: "0oaowrlsm5Ua1vWD85d7"
authority: "https://dev-39125344.okta.com/oauth2/default"
redirect-uri: "http://localhost:5173/login"
post-logout-redirect-uri: "http://localhost:5173"
silent-redirect-uri: "http://localhost:5173/login/silent-renew"
domains:
- "yourcompany.com"
audience: "0oaowrlsm5Ua1vWD85d7"
roles-claim-path: "roles"For detailed OIDC configuration and troubleshooting, see:
- OIDC Implementation Guide
- Provider-Specific Guides - Okta, Microsoft, Keycloak, and more
- Frontend Configuration
This library is part of the Structures framework and follows the same licensing terms.