How can I use the signature configuration from the JWT subsystem in wildfly to generate tokens in application code deployed in the same server

[viktarbelski]

Assume we build a jwt token and want to use signature encription defined in standalone.xml

<subsystem xmlns="urn:soulwing.org:jwt:1.0">
...
<secret-key name="yourbunnywrote" id="1863" type="AES" length="256" provider="FILE">
<properties>
<property name="path" value="${jboss.server.config.dir}/signature-secret-key"/>
</properties>
</secret-key>
...
<signature name="figvam" algorithm="HS256" secret-keys="yourbunnywrote"/>
<validator name="default" issuer="iss" issuer-url="https://iss" audience="test-service" expiration-tolerance="90" signature="figvam"/>
</subsystem>

How can I get a signature config from server configuration and use it when I build a signature like below

final JWTProvider provider = JWTProviderLocator.getProvider();
	    final Instant now = Instant.now();
	    final Instant expires = now.plus(60, ChronoUnit.MINUTES);
	    final Claims claims = provider.claims()
	        .id("0")
	        .issuer("iss")
	        .issuedAt(now)
	        .expiresAt(expires)
	        .subject(user.getName())
	        .audience("test-service")
	        .set("uid", user.getId())
	        .set("eml", user.getEmail())
	        .build();

	    String token = JsonObject.EMPTY_JSON_OBJECT.toString();
		try {
			token = provider.generator()
			    .signature(provider.signatureOperator()
			        .algorithm(ALG_FROM_CONFIG)
			        .keyProvider(SECRET_KEY_FROM_CONFIG)
			        .build())
			    .build()
			    .generate(claims);
		} catch (Exception e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}

I mean is there a convenient way to get SECRET_KEY_FROM_CONFIG and ALG_FROM_CONFIG in code?

[ceharris]

Confirming that I understand your question:
How can I use the signature configuration from the JWT subsystem in wildfly to generate tokens in application code deployed in the same server?

[viktarbelski]

@ceharris correct

[ceharris]

The JWT extension is generally used in an application setting where you want the Java EE container (Wildfly) to do JWT validation. Consequently, it doesn't provide much help here for generating tokens, since this is usually done in a separate OAuth2 authorization server.

It is possible to get the Wildfly subsystem configuration into a deployed application. One could put the right Wildfly management modules onto the application class loader (e.g. using jboss-deployment-descriptor.xml) and then use Wildfly API to get a reference to the subsystem instance in the management module and access its state. It's probably not all that convenient, but it is doable.

Alternatively, the application could use the same s2ks module that the JWT subsystem uses to load the key material, and with some judicious use of environment variables you could avoid having to repeat the configuration details in both the subsystem configuration and in the application.

[viktarbelski]

Got you. And thanks for explanation.

[ceharris]

Another approach, rather than using symmetric keys would be to use an RSA key pair. The Wildfly subsystem then only needs the public key part to validate, and your application could have access to the private key. Then the only shared part of the configuration is the name of the algorithm, issuer name, etc.