Class Jwt


public class Jwt extends ObjectWithJsonToString
Expectation criteria for matching a JSON Web Token (JWT) carried in a request header.

The token is read from the header named by header (default authorization), the scheme prefix (default Bearer) is stripped, and the token's header.payload segments are decoded with base64url + JSON. No signature verification is performed — this is request matching for test routing, not authentication. Control-plane JWT authentication (the authentication/ stack) is a separate concern and is unaffected by this matcher.

A request is matched when every configured criterion matches the decoded token:

  • claims — each entry asserts the value of a claim in the JWT payload. The value is a NottableString so exact, regex and ! negation forms are all supported (e.g. {"sub":"user-1","scope":".*admin.*"}). A positive criterion whose claim is absent from the token never matches; a negated criterion (e.g. !admin) against an absent claim matches vacuously — there is no value to contradict it. The same holds for the issuer, audience and algorithm convenience criteria.
  • issuer — convenience criterion for the iss claim.
  • audience — convenience criterion for the aud claim (which may be a single string or an array; a match against any array element is a match).
  • algorithm — convenience criterion for the JOSE header alg field.
A malformed or absent token never matches a non-blank Jwt criterion (and never surfaces an exception to the caller).
Author:
jamesdbloom