Skip to content

Tutorials: JWT authentication#3021

Merged
rrayst merged 5 commits into
masterfrom
jwt-tutorials
Jun 28, 2026
Merged

Tutorials: JWT authentication#3021
rrayst merged 5 commits into
masterfrom
jwt-tutorials

Conversation

@predic8

@predic8 predic8 commented Jun 28, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • New Features
    • Added a JWT authentication tutorial with step-by-step instructions for requesting tokens, inspecting JWT claims, and accessing a protected API using Bearer authorization.
    • Added an offline demo setup that issues and validates signed JWTs for a protected resource.
  • Tests
    • Added automated coverage for the token issuance and protected-resource access flow, including success and failure cases and claim verification.
  • Documentation
    • Added tutorial pages, README entries, and navigation linking the requesting and issuing/validating steps.
  • Chores
    • Added demo JWK material (private/public keys) used by the tutorial examples.

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ee75113b-0f42-4010-81d9-9a58b29b0dfd

📥 Commits

Reviewing files that changed from the base of the PR and between 4f4bbf1 and 1daab54.

📒 Files selected for processing (1)
  • distribution/tutorials/README.md
✅ Files skipped from review due to trivial changes (1)
  • distribution/tutorials/README.md

📝 Walkthrough

Walkthrough

Adds a JWT security tutorial with token issuance, JWT validation, signing and public keys, tutorial documentation, and integration tests for the token and resource flow.

Changes

JWT Security Tutorial

Layer / File(s) Summary
Membrane YAML config and RSA JWK
distribution/tutorials/security/jwk.json, distribution/tutorials/security/50-Issuing-and-Validating-JWTs.yaml, distribution/tutorials/security/jwk-public.json
Defines /token and /resource on port 2000, signs JWTs from Basic-auth credentials, validates bearer JWTs against the public key and audience, and adds the signing and validation JWK files.
Abstract base and integration test
distribution/src/test/java/com/predic8/membrane/tutorials/security/jwt/AbstractSecurityJwtTutorialTest.java, distribution/src/test/java/com/predic8/membrane/tutorials/security/jwt/IssuingAndValidatingJwtsTutorialTest.java
AbstractSecurityJwtTutorialTest sets the tutorial directory to "security". IssuingAndValidatingJwtsTutorialTest checks 401, 400, and 200 responses across token issuance and protected resource access.
Tutorial documentation
distribution/tutorials/README.md, distribution/tutorials/security/README.md, distribution/tutorials/security/40-Requesting-a-JWT.md
Adds the Security section to the tutorials index, a JWT tutorial README, and a step-by-step JWT walkthrough with curl examples.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested reviewers

  • christiangoerdes
  • rrayst

Poem

🐇 I hopped to /token with a secret in tow,
Then carried a JWT where the bright carrots grow.
/resource took my Bearer and let Alice through,
With scopes and exp claims all tidy and true.
RSA keys sparkled; the gateway said “yay!”
This little hop’s secure in a very grand way.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects the main change: adding JWT authentication tutorials and related test assets.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch jwt-tutorials

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@distribution/tutorials/security/jwt/20-Issuing-and-Validating-JWTs.yaml`:
- Around line 68-72: The jwtAuth configuration is pointing at the same JWK file
used for signing, which exposes private RSA parameters to the resource verifier.
Update the tutorial wiring so the /token path uses the private JWK while the
jwtAuth section references a separate public-only key set, and add or reference
a public JWK/JWKS containing only the public members for the jwtAuth setup.

In `@distribution/tutorials/security/jwt/membrane.cmd`:
- Around line 1-24: The membrane.cmd batch launcher needs Windows CRLF line
endings because LF-only endings can break cmd.exe parsing and the goto/call
flow. Save the script with CRLF throughout, keeping the existing search_up,
found, and notfound logic unchanged. Ensure the file is normalized as a Windows
batch file so run-membrane.cmd is invoked correctly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8032800f-eb4a-405b-8dde-3a89a0becd24

📥 Commits

Reviewing files that changed from the base of the PR and between d7e3dfa and cc7b47f.

📒 Files selected for processing (9)
  • distribution/src/test/java/com/predic8/membrane/tutorials/security/jwt/AbstractSecurityJwtTutorialTest.java
  • distribution/src/test/java/com/predic8/membrane/tutorials/security/jwt/IssuingAndValidatingJwtsTutorialTest.java
  • distribution/tutorials/README.md
  • distribution/tutorials/security/jwt/10-Requesting-a-JWT.md
  • distribution/tutorials/security/jwt/20-Issuing-and-Validating-JWTs.yaml
  • distribution/tutorials/security/jwt/README.md
  • distribution/tutorials/security/jwt/jwk.json
  • distribution/tutorials/security/jwt/membrane.cmd
  • distribution/tutorials/security/jwt/membrane.sh

Comment thread distribution/tutorials/security/50-Issuing-and-Validating-JWTs.yaml Outdated
Comment thread distribution/tutorials/security/jwt/membrane.cmd
@predic8 predic8 added this to the 7.3.0 milestone Jun 28, 2026
@membrane-ci-server

Copy link
Copy Markdown

This pull request needs "/ok-to-test" from an authorized committer.

@predic8

predic8 commented Jun 28, 2026

Copy link
Copy Markdown
Member Author

/ok-to-test

@rrayst rrayst merged commit 2935d23 into master Jun 28, 2026
5 checks passed
@rrayst rrayst deleted the jwt-tutorials branch June 28, 2026 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants