Use jwt for authentication

we have a system in place which authenticates users and return JWT tokens, so instead of using flowable-idm we have to use that token to give access to users to flowable applications. can any point where i can start from? thanks


I’ve done something similar previously and I got it working by replacing the FlowableCookieFilter class in the flowable-modeler (and other) application. In this class the cookie is read and checked for validity against flowable-idm. But instead you could just check that the JWT is valid and contains the correct access rights directly.


thank you for the reply. Apart from this what else did you change for fetching users and groups.

I did some work to support JWT token issued from Azure AD. I added a PreAuthentication to Flowable-IDM and verify the token there. But I still use IDM to managing the privileges.

i am trying to do something similar, but my users and groups will come from the rest api something similar to LDAP.

If you are doing some work really similar to LDAP, I think you can create a IdentityService implement similar with LDAPIdentityServiceImpl and initial it as bean in IDM app. The only problem of this service interface is it can only verify user by username and password. That’s the reason I use PreAuthenticatedAuthenticationToken. Another benefit is it can support the original authentication at the same time.

@bwangfdu I’m also wanting to use a previously issued JST token. Can you describe in a little more detail what you mean by adding PreAuthentication to Flowable-IDM?

You can create a filter, which filters only your login callback. In the filter, you can get the token from request object, and then verify it. If verified you can get the user details from UserDetailService injected, and create a PreAuthenticatedAuthenticationToken from the user details, then put it into the SecurityContext. You will get your user logged in. You can also inject IdmIdentityService to manipulate the user entity.

I guess I am necroposting :slight_smile: but I am trying to do the same thing recently but no luck so far. Users already logged in via keycloak and I wanted to use jwt. This is my security config

.oauth2Login()  //redirect to login if no token or session is provided
// .addFilterBefore(keycloakTokenFilter, UsernamePasswordAuthenticationFilter.class)
//  .and()
.oauth2ResourceServer().jwt(); //validate JWT Bearer token

if there is no sesion or token, it redirects users to keycloak login and it works fine because it produces Oauth2AuthenticationToken, but oauth2ResourceServer() produces JwtAuthenticationToken and it leads to “org.flowable.ui.common.service.exception.NotFoundException” for some reason. How did you create PreAuthenticatedAuthenticationToken, can you explain further?

Any help would be appreciated. Thanks in advance