Skip to content

jwt

Jump to bottom Edit New page
makr-code edited this page Dec 21, 2025 · 1 revision

JWT / Auth Middleware

Stand: 5. Dezember 2025
Version: 1.0.0
Kategorie: Auth

This document gives a short guide how the JWT validator and AuthMiddleware work in Themis, an example JWKS file, and how to test the middleware with curl/PowerShell.

Overview

  • auth::JWTValidator verifies RS256-signed JWTs against a JWKS endpoint or an injected JWKS. It validates signature (kid -> JWK), and standard claims: exp, nbf, iss, aud.
  • AuthMiddleware uses JWTValidator to guard HTTP endpoints and expose the parsed claims to downstream handlers.

Example JWKS

A minimal JWKS (file: docs/auth/jwks_example.json) looks like:

{
  "keys": [
    {
      "kty": "RSA",
      "kid": "example-key-1",
      "use": "sig",
      "alg": "RS256",
      "n": "...base64url modulus...",
      "e": "AQAB"
    }
  ]
}

Replace n with the base64url-encoded RSA modulus of your public key. e is usually AQAB.

Configuration snippet (C++)

JWT config is provided using JWTValidatorConfig (see include/auth/jwt_validator.h). Example:

  • jwks_url (string): remote JWKS endpoint (optional during tests where JWKS are injected)
  • expected_issuer (string)
  • expected_audience (string)
  • jwks_cache_ttl (seconds)
  • clock_skew (seconds)

Example initializer:

JWTValidatorConfig cfg;
cfg.jwks_url = "https://pki.example.com/.well-known/jwks.json";
cfg.expected_issuer = "https://auth.example.com";
cfg.expected_audience = "themis-api";
cfg.jwks_cache_ttl = std::chrono::seconds(300);
cfg.clock_skew = std::chrono::seconds(60);
JWTValidator validator(cfg);

Testing locally

  1. Unit tests
  • The repo contains tests/test_jwt_validator.cpp with unit tests that generate RSA keys on the fly and inject JWKS via setJWKSForTesting(...).
  • Build and run only JWT tests:
cmake --build C:\VCC\themis\build --config Release --target themis_tests
C:\VCC\themis\build\Release\themis_tests.exe --gtest_filter=JWTValidatorTest.*
  1. Manual curl test (using a pre-generated JWT and JWKS hosted at http://localhost:8000/jwks):
  • Start an HTTP server to serve docs/auth/jwks_example.json (for example python -m http.server 8000 in that directory).
  • Request to protected endpoint (example):
curl -H "Authorization: Bearer <JWT>" http://localhost:8080/api/protected

If the token is valid, the middleware forwards the request; otherwise it returns 401.

Common gotchas

  • The JWKS must include the correct kid that matches the JWT header.
  • Use base64url (no padding) for n and e fields.
  • exp/nbf are validated with a configurable clock skew (default 60s in tests).

Next steps / TODO

  • Add examples for JWKS rotation and multiple kid entries.
  • Add an integration test that runs a small local server and verifies middleware with a real HTTP request.

ThemisDB v1.3.4 | GitHub | Documentation | Discussions | License

Last synced: January 02, 2026 | Commit: 6add659

ThemisDB Dokumentation

Version: 1.3.0 | Stand: Dezember 2025

📋 Schnellstart

🏗️ Architektur

🗄️ Basismodell

💾 Storage & MVCC

📇 Indexe & Statistiken

🔍 Query & AQL

💰 Caching

📦 Content Pipeline

🔎 Suche

⚡ Performance & Benchmarks

🏢 Enterprise Features

✅ Qualitätssicherung

🧮 Vektor & GNN

🌍 Geo Features

🛡️ Sicherheit & Governance

Authentication

Schlüsselverwaltung

Verschlüsselung

TLS & Certificates

PKI & Signatures

PII Detection

Vault & HSM

Audit & Compliance

Security Audits

Gap Analysis

🚀 Deployment & Betrieb

Docker

Observability

Change Data Capture

Operations

💻 Entwicklung

API Implementations

Changefeed

Security Development

Development Overviews

📄 Publikation & Ablage

🔧 Admin-Tools

🔌 APIs

📚 Client SDKs

📊 Implementierungs-Zusammenfassungen

📅 Planung & Reports

📖 Dokumentation

📝 Release Notes

📖 Styleguide & Glossar

🗺️ Roadmap & Changelog

💾 Source Code Documentation

Main Programs

Source Code Module

🗄️ Archive

🤝 Community & Support

Vollständige Dokumentation: https://makr-code.github.io/ThemisDB/

Clone this wiki locally