Library for jwt authentication with akka

This library provides you an akka directive for your route to authenticate your user with jwt. the jwt implementation adapts nimbus JOSE + JWT.

• Initial Release

libraryDependencies += "de.innFactory" %% "akka-jwt" % "1.2.0"

After that you must extend your akka-http Route with JwtAuthDirectives. Then just implement a AuthService protected val authService: AuthService

After that you can build your route like this:

val route: Route =
    (post & path("graphql")) {
      authenticate { credentials =>
        entity(as[JsValue]) { requestJson ⇒

you see, that you got a new authenticate directive for your route. It extracts the Authentication value from your header and checks it against your jwt validator.

The Validator API has just one method validate, so you can implement your own Validators and use it for your akka Directive. AWS and the generic one were made by guizmaii. Thanks for that!

final case class JwtToken(content: String) extends AnyVal

trait JwtValidator {
  def validate(jwtToken: JwtToken): Either[BadJWTException, (JwtToken, JWTClaimsSet)]
}

The more flexible implementation of the JwtValidator interface.

It only requires a JWKSource instance.
For more information on the different JWKSource implementations Nimbus provides, look at the classes in the com.nimbusds.jose.jwk.source package here: https://www.javadoc.io/doc/com.nimbusds/nimbus-jose-jwt

Example of use:

val token: JwtToken = JwtToken(content = "...")

val jwkSet: JWKSource[SecurityContext] = new RemoteJWKSet(new URL(s"https://your.jwks.prodvider.example.com/.well-known/jwks.json"))
val validator =  ConfigurableJwtValidator(jwkSet)

For more information on JWKs, you could read:

• Auth0 doc: https://auth0.com/docs/jwks
• Nimbus doc: https://connect2id.com/products/server/docs/api/jwk-set
• AWS Cognito doc: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-identity-user-pools-using-id-and-access-tokens-in-web-api

Other constructor parameters are:

• maybeCtx: Option[SecurityContext] = None
  (Optional) Security context.
  Default is null (no Security Context).

• additionalChecks: List[(JWTClaimsSet, SecurityContext) => Option[BadJWTException]] = List.empty
  (Optional) List of additional checks that will be executed on the JWT token passed.
  Default is an empty List.

  Some "additional checks" are already implemented in the object ProvidedAdditionalChelcks.

Example of use:

val awsRegion = AWSRegion(AWSRegions.Frankfurt)
val cognitoUserPoolId = CognitoUserPoolId(value = "...")

val awsCognitoJwtValidator = AwsCognitoJwtValidator(awsRegion, cognitoUserPoolId)

Need a token generator for aws? Look at

https://innfactory.de/de/blog/34-software-engineering/52-javascript-desktop-app-electron https://github.com/innFactory/aws-session-token-gui

• Tobias Jonas
• Jules Ivanic

Copyright (C) 2019 innFactory Cloud- & DataEngineering

Published under the Apache 2 License.