import ballerina/http;
import ballerina/config;
import ballerina/jwt;
import ballerina/log;
jwt:OutboundJwtAuthProvider outboundJwtAuthProvider = new ({
    username: "ballerina",
    issuer: "ballerina",
    audience: ["ballerina", "ballerina.org", "ballerina.io"],
    customClaims: {"scope": "hello"},
    keyStoreConfig: {
        keyAlias: "ballerina",
        keyPassword: "ballerina",
        keyStore: {
            path: config:getAsString("b7a.home") +
                  "/bre/security/ballerinaKeystore.p12",
            password: "ballerina"
        }
    }
});
http:BearerAuthHandler outboundJwtAuthHandler = new (outboundJwtAuthProvider);http:Client httpEndpoint = new ("https://localhost:9090", {
    auth: {
        authHandler: outboundJwtAuthHandler
    },
    secureSocket: {
        trustStore: {
            path: config:getAsString("b7a.home") +
                  "/bre/security/ballerinaTruststore.p12",
            password: "ballerina"
        }
    }
});public function main() {
    var response = httpEndpoint->get("/hello/sayHello");
    if (response is http:Response) {
        var result = response.getTextPayload();
        log:printInfo((result is error) ? "Failed to retrieve payload."
                                        : result);
    } else {
        log:printError("Failed to call the endpoint.", response);
    }
}# To test the client, first start the sample service by executing the below
# command by passing Ballerina home path as a system property.
ballerina run secured_service_with_jwt_auth.bal --b7a.home=<ballerina_home_path>
[ballerina/http] started HTTPS/WSS listener 0.0.0.0:9090# Then start the client by executing the below command by passing Ballerina home
# path as a system property.
ballerina run secured_client_with_jwt_auth.bal --b7a.home=<ballerina_home_path>
INFO  [ballerina/log] - Hello, World!!!import ballerina/http;
import ballerina/config;
import ballerina/jwt;
import ballerina/log;
jwt:InboundJwtAuthProvider inboundJwtAuthProvider = new ({
    issuer: "ballerina",
    audience: "ballerina.io",
    trustStoreConfig: {
        certificateAlias: "ballerina",
        trustStore: {
            path: config:getAsString("b7a.home") +
                  "/bre/security/ballerinaTruststore.p12",
            password: "ballerina"
        }
    }
});
http:BearerAuthHandler inboundJwtAuthHandler = new (inboundJwtAuthProvider);
listener http:Listener ep = new (9090, config = {
    auth: {
        authHandlers: [inboundJwtAuthHandler],
        scopes: ["hello"]
    },
    secureSocket: {
        keyStore: {
            path: config:getAsString("b7a.home") +
                  "/bre/security/ballerinaKeystore.p12",
            password: "ballerina"
        }
    }
});service hello on ep {
    resource function sayHello(http:Caller caller, http:Request req) {
        error? result = caller->respond("Hello, World!!!");
        if (result is error) {
            log:printError("Error in responding to caller", result);
        }
    }
}

Secured Client with JWT Auth

A secured client, which is secured with JWT authentication should be used to connect to a service, which is secured with JWT authentication. The jwt:OutboundJWTAuthProvider is initialized with/without passing the JWT issuer configurations as a record. If the JWT issuer configurations are passed, a new JWT will be issued and it will be used for the outbound authentication. If the JWT issuer configurations are not passed, a JWT will be searched in runtime:AuthenticationContext and it will be used for the outbound authentication. The http:BearerAuthHandler is initialized by providing the created jwt:OutboundBasicAuthProvider. An additional auth field is added to the HTTP client endpoint initialization in order to secure the simple HTTP client endpoint. The authHandler field is defined inside the auth field with the value of it being the reference of the created http:BearerAuthHandler.

 
import ballerina/http;
import ballerina/config;
import ballerina/jwt;
import ballerina/log;

jwt:OutboundJwtAuthProvider outboundJwtAuthProvider = new ({
    username: "ballerina",
    issuer: "ballerina",
    audience: ["ballerina", "ballerina.org", "ballerina.io"],
    customClaims: {"scope": "hello"},
    keyStoreConfig: {
        keyAlias: "ballerina",
        keyPassword: "ballerina",
        keyStore: {
            path: config:getAsString("b7a.home") +
                  "/bre/security/ballerinaKeystore.p12",
            password: "ballerina"
        }
    }
});

Defines the JWT auth client endpoint to call the backend services. JWT authentication is enabled by creating a jwt:OutboundJWTAuthProvider with/without passing the JWT issuer configurations as a record. If the JWT issuer configurations are not passed, a JWT will be searched in runtime:AuthenticationContext and it will be used for the outbound authentication.

 
http:BearerAuthHandler outboundJwtAuthHandler = new (outboundJwtAuthProvider);

Create a Bearer Auth handler with the created JWT Auth provider.

 
http:Client httpEndpoint = new ("https://localhost:9090", {
    auth: {
        authHandler: outboundJwtAuthHandler
    },
    secureSocket: {
        trustStore: {
            path: config:getAsString("b7a.home") +
                  "/bre/security/ballerinaTruststore.p12",
            password: "ballerina"
        }
    }
});

public function main() {

    var response = httpEndpoint->get("/hello/sayHello");
    if (response is http:Response) {
        var result = response.getTextPayload();
        log:printInfo((result is error) ? "Failed to retrieve payload."
                                        : result);
    } else {
        log:printError("Failed to call the endpoint.", response);
    }
}

Sends a GET request to the specified endpoint.

 
# To test the client, first start the sample service by executing the below
# command by passing Ballerina home path as a system property.
ballerina run secured_service_with_jwt_auth.bal --b7a.home=<ballerina_home_path>
[ballerina/http] started HTTPS/WSS listener 0.0.0.0:9090

# Then start the client by executing the below command by passing Ballerina home
# path as a system property.
ballerina run secured_client_with_jwt_auth.bal --b7a.home=<ballerina_home_path>
INFO  [ballerina/log] - Hello, World!!!

import ballerina/http;
import ballerina/config;
import ballerina/jwt;
import ballerina/log;

jwt:InboundJwtAuthProvider inboundJwtAuthProvider = new ({
    issuer: "ballerina",
    audience: "ballerina.io",
    trustStoreConfig: {
        certificateAlias: "ballerina",
        trustStore: {
            path: config:getAsString("b7a.home") +
                  "/bre/security/ballerinaTruststore.p12",
            password: "ballerina"
        }
    }
});
http:BearerAuthHandler inboundJwtAuthHandler = new (inboundJwtAuthProvider);
listener http:Listener ep = new (9090, config = {
    auth: {
        authHandlers: [inboundJwtAuthHandler],
        scopes: ["hello"]
    },
    secureSocket: {
        keyStore: {
            path: config:getAsString("b7a.home") +
                  "/bre/security/ballerinaKeystore.p12",
            password: "ballerina"
        }
    }
});

Defines the sample backend service, which is secured with JWT Auth authentication.

 
service hello on ep {
    resource function sayHello(http:Caller caller, http:Request req) {
        error? result = caller->respond("Hello, World!!!");
        if (result is error) {
            log:printError("Error in responding to caller", result);
        }
    }
}