tessl/maven-io-ktor--ktor-server-auth-jwt-jvm
JWT (JSON Web Token) authentication plugin for Ktor server applications
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-io-ktor--ktor-server-auth-jwt-jvm@3.2.00
# Ktor JWT Authentication
1
2
Ktor JWT Authentication provides JWT (JSON Web Token) authentication functionality for Ktor server applications. It offers a comprehensive authentication plugin that supports JWT token verification using various algorithms, integrates with JWK (JSON Web Key) providers for dynamic key resolution, and provides convenient access to JWT claims through a type-safe API.
3
4
## Package Information
5
6
- **Package Name**: ktor-server-auth-jwt-jvm
7
- **Package Type**: maven
8
- **Language**: Kotlin
9
- **Installation**: `implementation("io.ktor:ktor-server-auth-jwt-jvm:3.2.0")`
10
11
## Core Imports
12
13
```kotlin
14
import io.ktor.server.auth.jwt.*
15
import io.ktor.server.auth.*
16
import io.ktor.server.application.*
17
```
18
19
## Basic Usage
20
21
```kotlin
22
import io.ktor.server.application.*
23
import io.ktor.server.auth.*
24
import io.ktor.server.auth.jwt.*
25
import com.auth0.jwt.JWT
26
import com.auth0.jwt.algorithms.Algorithm
27
28
fun Application.configureSecurity() {
29
install(Authentication) {
30
jwt("auth-jwt") {
31
realm = "ktor sample app"
32
verifier(
33
JWT
34
.require(Algorithm.HMAC256("secret"))
35
.withAudience("jwt-audience")
36
.withIssuer("jwt-issuer")
37
.build()
38
)
39
validate { credential ->
40
if (credential.payload.audience.contains("jwt-audience")) {
41
JWTPrincipal(credential.payload)
42
} else {
43
null
44
}
45
}
46
}
47
}
48
}
49
```
50
51
## Architecture
52
53
The JWT authentication plugin integrates with Ktor's authentication pipeline through several key components:
54
55
- **Authentication Provider**: `JWTAuthenticationProvider` handles the authentication flow
56
- **Payload Holders**: `JWTCredential` and `JWTPrincipal` provide type-safe access to JWT claims
57
- **Configuration DSL**: Fluent configuration through the `jwt` function and `Config` class
58
- **Token Verification**: Supports multiple verification methods including JWK providers and static keys
59
- **Challenge Handling**: Customizable challenge responses for authentication failures
60
61
## Capabilities
62
63
### JWT Authentication Configuration
64
65
Configure JWT authentication with verifiers, validation, and challenge handling.
66
67
```kotlin { .api }
68
/**
69
* Installs the JWT Authentication provider
70
*/
71
fun AuthenticationConfig.jwt(
72
name: String? = null,
73
configure: JWTAuthenticationProvider.Config.() -> Unit
74
)
75
```
76
77
### JWT Payload Access
78
79
Base class providing convenient access to standard JWT claims and custom claims.
80
81
```kotlin { .api }
82
/**
83
* Base class for JWT credential and principal with shortcut functions for standard JWT claims
84
*/
85
abstract class JWTPayloadHolder(
86
val payload: Payload
87
) {
88
/** Gets the 'iss' (issuer) claim */
89
val issuer: String?
90
91
/** Gets the 'sub' (subject) claim */
92
val subject: String?
93
94
/** Gets the 'aud' (audience) claim as a list */
95
val audience: List<String>
96
97
/** Gets the 'exp' (expiration time) claim */
98
val expiresAt: Date?
99
100
/** Gets the 'nbf' (not before time) claim */
101
val notBefore: Date?
102
103
/** Gets the 'iat' (issued at) claim */
104
val issuedAt: Date?
105
106
/** Gets the 'jti' (JWT ID) claim */
107
val jwtId: String?
108
109
/**
110
* Gets a non-RFC JWT claim by name as a string
111
* @param name claim key as it appears in the JSON object
112
* @return claim value or null if not available or not a string
113
*/
114
operator fun get(name: String): String?
115
116
/**
117
* Gets a non-RFC JWT claim by name as the specified type
118
* @param name claim key as it appears in the JSON object
119
* @param clazz Kotlin class to deserialize the claim to
120
* @return claim value or null if not available or unable to deserialize
121
*/
122
fun <T : Any> getClaim(name: String, clazz: KClass<T>): T?
123
124
/**
125
* Gets a non-RFC JWT claim by name as a list of the specified type
126
* @param name claim key as it appears in the JSON object
127
* @param clazz Kotlin class for list elements
128
* @return claim value as list or empty list if not available or unable to deserialize
129
*/
130
fun <T : Any> getListClaim(name: String, clazz: KClass<T>): List<T>
131
}
132
```
133
134
### JWT Credential and Principal
135
136
Classes representing JWT credentials and authenticated principals.
137
138
```kotlin { .api }
139
/**
140
* JWT credential that consists of the specified payload
141
* @param payload JWT payload
142
*/
143
class JWTCredential(payload: Payload) : JWTPayloadHolder(payload)
144
145
/**
146
* JWT principal that consists of the specified payload
147
* @param payload JWT payload
148
*/
149
class JWTPrincipal(payload: Payload) : JWTPayloadHolder(payload)
150
```
151
152
### JWT Authentication Provider Configuration
153
154
Configuration options for JWT authentication including verifiers, validation, and challenge handling.
155
156
```kotlin { .api }
157
class JWTAuthenticationProvider.Config {
158
/** JWT realm to be passed in WWW-Authenticate header */
159
var realm: String
160
161
/**
162
* Configure how to retrieve HTTP authentication header
163
* @param block function that extracts auth header from ApplicationCall
164
*/
165
fun authHeader(block: (ApplicationCall) -> HttpAuthHeader?)
166
167
/**
168
* Configure authentication schemes
169
* @param defaultScheme default scheme used to challenge the client
170
* @param additionalSchemes additional schemes accepted during validation
171
*/
172
fun authSchemes(defaultScheme: String = "Bearer", vararg additionalSchemes: String)
173
174
/**
175
* Set JWT verifier instance
176
* @param verifier verifies token format and signature
177
*/
178
fun verifier(verifier: JWTVerifier)
179
180
/**
181
* Set JWT verifier function
182
* @param verifier function that returns verifier based on auth header
183
*/
184
fun verifier(verifier: (HttpAuthHeader) -> JWTVerifier?)
185
186
/**
187
* Set verifier with JWK provider and issuer
188
* @param jwkProvider provides the JSON Web Key
189
* @param issuer the issuer of the JSON Web Token
190
* @param configure function applied during JWTVerifier construction
191
*/
192
fun verifier(jwkProvider: JwkProvider, issuer: String, configure: JWTConfigureFunction = {})
193
194
/**
195
* Set verifier with JWK provider only
196
* @param jwkProvider provides the JSON Web Key
197
* @param configure function applied during JWTVerifier construction
198
*/
199
fun verifier(jwkProvider: JwkProvider, configure: JWTConfigureFunction = {})
200
201
/**
202
* Set verifier with issuer, audience and algorithm
203
* @param issuer of the JSON Web Token
204
* @param audience restriction
205
* @param algorithm for validation of token signatures
206
* @param block additional verification configuration
207
*/
208
fun verifier(
209
issuer: String,
210
audience: String,
211
algorithm: Algorithm,
212
block: Verification.() -> Unit = {}
213
)
214
215
/**
216
* Set verifier with issuer (creates JWK provider automatically)
217
* @param issuer the issuer of JSON Web Token
218
* @param block configuration of JwkProvider
219
*/
220
fun verifier(issuer: String, block: JWTConfigureFunction = {})
221
222
/**
223
* Set validation function for additional JWT payload validation
224
* @param validate function that validates JWT credential and returns principal or null
225
*/
226
fun validate(validate: suspend ApplicationCall.(JWTCredential) -> Any?)
227
228
/**
229
* Set challenge function for authentication failures
230
* @param block function that handles authentication challenges
231
*/
232
fun challenge(block: JWTAuthChallengeFunction)
233
}
234
```
235
236
### Challenge Context and Functions
237
238
Context and function types for handling authentication challenges.
239
240
```kotlin { .api }
241
/**
242
* Context for JWT authentication challenge
243
* @param call the current application call
244
*/
245
class JWTChallengeContext(
246
val call: ApplicationCall
247
)
248
249
/**
250
* Function type for JWT authentication challenge
251
*/
252
typealias JWTAuthChallengeFunction =
253
suspend JWTChallengeContext.(defaultScheme: String, realm: String) -> Unit
254
255
/**
256
* Function type for JWT verifier configuration
257
*/
258
typealias JWTConfigureFunction = Verification.() -> Unit
259
```
260
261
## Types
262
263
### External Dependencies
264
265
The JWT authentication plugin relies on these external types from the auth0 library:
266
267
```kotlin { .api }
268
// From com.auth0.jwt.interfaces
269
interface Payload {
270
val issuer: String?
271
val subject: String?
272
val audience: List<String>?
273
val expiresAt: Date?
274
val notBefore: Date?
275
val issuedAt: Date?
276
val id: String?
277
fun getClaim(name: String): Claim
278
}
279
280
interface JWTVerifier {
281
fun verify(token: String): DecodedJWT
282
}
283
284
// From com.auth0.jwt.algorithms
285
class Algorithm
286
287
// From com.auth0.jwt
288
class Verification {
289
fun build(): JWTVerifier
290
}
291
292
// From com.auth0.jwk
293
interface JwkProvider {
294
fun get(keyId: String): Jwk
295
}
296
```
297
298
### Ktor Core Types
299
300
```kotlin { .api }
301
// From io.ktor.server.application
302
interface ApplicationCall
303
304
// From io.ktor.http.auth
305
sealed class HttpAuthHeader {
306
class Single(val authScheme: String, val blob: String) : HttpAuthHeader()
307
class Parameterized(val authScheme: String, val parameters: List<HeaderValueParam>) : HttpAuthHeader()
308
}
309
310
// From io.ktor.server.auth
311
interface AuthenticationContext
312
class AuthenticationProvider
313
class AuthenticationProvider.Config
314
interface AuthenticationConfig
315
```