26.0.0.4 post#4793
Merged
Merged
Conversation
navaneethsnair1
requested review from
Arunkumar-Kallyodan,
idlewis,
jimmy1wu,
nidhin-cp and
tloodu
jimmy1wu
reviewed
Apr 17, 2026
tloodu
reviewed
Apr 17, 2026
| [#jwt] | ||
| == Support selecting JWT signature and decryption algorithms from JOSE header | ||
|
|
||
| JSON Web Tokens (JWTs) can be signed by using various cryptographic signature algorithms. With this release, the JWT Consumer, MicroProfile JWT, OpenID Connect Client, and Social Media Login features support selecting the JWT signature algorithm from the JOSE header. This support allows different signature algorithms to be used based on the token. |
Member
There was a problem hiding this comment.
Suggested change
| JSON Web Tokens (JWTs) can be signed by using various cryptographic signature algorithms. With this release, the JWT Consumer, MicroProfile JWT, OpenID Connect Client, and Social Media Login features support selecting the JWT signature algorithm from the JOSE header. This support allows different signature algorithms to be used based on the token. | |
| JSON Web Tokens (JWTs) can be signed using various cryptographic signature algorithms. With this release, the JWT Consumer, MicroProfile JWT, OpenID Connect Client, and Social Media Login features support selecting the JWT signature algorithm from the JOSE header. This support allows different signature algorithms to be used based on the token. |
Member
There was a problem hiding this comment.
This support allows different signature algorithms to be used based on the token.
->
This support allows different signature algorithms to be used based on the token header.
Contributor
Author
There was a problem hiding this comment.
JSON Web Tokens (JWTs) can be signed using various cryptographic signature algorithms.
Hi @tloodu As per Acrolinx, it was marked 'ambiguous'. So they suggested this replacement of 'by using'
|
|
||
| When using `FROM_HEADER` with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed key is found, the client falls back to using the key specified by the trustedAlias attribute (for `jwtConsumer`) or trustAliasName attribute (for `openidConnectClient`, `oidcLogin` and `mpjwt`), if configured. | ||
|
|
||
| See the following `server.xml` file example: |
Member
There was a problem hiding this comment.
Suggested change
| See the following `server.xml` file example: | |
| See the following `server.xml` file configurations for examples on how to apply these settings to the supported elements: |
|
|
||
| If `allowedSignatureAlgorithms` is not configured, the default list contains all Open Liberty-supported signature algorithms: `RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384, ES512`. | ||
|
|
||
| When using `FROM_HEADER` with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed key is found, the client falls back to using the key specified by the trustedAlias attribute (for `jwtConsumer`) or trustAliasName attribute (for `openidConnectClient`, `oidcLogin` and `mpjwt`), if configured. |
Member
There was a problem hiding this comment.
Suggested change
| When using `FROM_HEADER` with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed key is found, the client falls back to using the key specified by the trustedAlias attribute (for `jwtConsumer`) or trustAliasName attribute (for `openidConnectClient`, `oidcLogin` and `mpjwt`), if configured. | |
| When using `FROM_HEADER` with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed alias is found, the client falls back to using the alias specified by the trustedAlias attribute (for `jwtConsumer`) or trustAliasName attribute (for `openidConnectClient`, `oidcLogin` and `mpjwt`), if configured. |
Member
There was a problem hiding this comment.
trustedAlias -> trustedAlias
"or trustAliasName attribute" -> "or the trustAliasName attribute"
mpjwt -> mpJwt
jimmy1wu
reviewed
Apr 17, 2026
jimmy1wu
reviewed
Apr 17, 2026
jimmy1wu
reviewed
Apr 17, 2026
jimmy1wu
reviewed
Apr 17, 2026
jimmy1wu
reviewed
Apr 17, 2026
|
|
||
| If `allowedSignatureAlgorithms` is not configured, the default list contains all Open Liberty-supported signature algorithms: `RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384, ES512`. | ||
|
|
||
| When using `FROM_HEADER` with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed key is found, the client falls back to using the key specified by the trustedAlias attribute (for `jwtConsumer`) or trustAliasName attribute (for `openidConnectClient`, `oidcLogin` and `mpjwt`), if configured. |
Member
There was a problem hiding this comment.
trustedAlias -> trustedAlias
"or trustAliasName attribute" -> "or the trustAliasName attribute"
mpjwt -> mpJwt
Arunkumar-Kallyodan
previously approved these changes
Apr 20, 2026
idlewis
reviewed
Apr 20, 2026
|
|
||
| For more information, see | ||
| link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__FileService[] | ||
| link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__FileTransfer__title__1[] |
Member
There was a problem hiding this comment.
These two links are broken.
I think the double underscores are confusing ascii doc
Is there a way to protect the URL?
idlewis
reviewed
Apr 20, 2026
|
|
||
| If FileTransfer access to `${server.output.dir}/resources/security` is required, the original behavior can be restored by setting an empty blocklist. | ||
|
|
||
| For more information, see |
Member
There was a problem hiding this comment.
Suggested change
| For more information, see | |
| For more information, see | |
| * https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__FileService[] | |
| * https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__FileTransfer[] | |
| * https://www.ibm.com/docs/en/was-liberty/nd?topic=manually-file-transfer[] |
Contributor
Author
There was a problem hiding this comment.
@idlewis please provide an anchor text for every links. I had mentioned it in the issue also
Member
There was a problem hiding this comment.
I'm not sure that it would be helpful to have anchor text in this case. The links are to a part of a docs page which doesn't have a useful title, so it is difficult to know what the link text would be. I can come up with something if necessary, but I'd prefer to leave them as is
Contributor
Author
There was a problem hiding this comment.
Hi @idlewis , it is always recommended to have title. So if you can, please help me with that. Thank you!
navaneethsnair1
dismissed stale reviews from nidhin-cp and Arunkumar-Kallyodan
via
e4d0caf
idlewis
approved these changes
Apr 20, 2026
jimmy1wu
approved these changes
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.