Backend Spring Component to use JWT Validation to access protected resource

Hi all
I have been tasked with creating a backend validation component to take a JWT token provided by the front-end (ANGULAR) authentication sign in. I need to take this token, parse through it, validate it to then be able to access a protected resource (Kong Gateway/Endpoint)
My question:
What are some approaches to being able to "grab" the JWT token from the front end to be able to use it for my back-end validation?

Most of time, you are going to use Authentication Bearer approach, despite the fact you could also manage the whole thing by yourself.
If you use Spring / Spring boot, you're provided with a number of facilities / libraries to deal with JWT token, for both supporting API security and handling JWT via code.
For example, have a look at this tutorial which explains the underlying concepts pretty well.

As Claude pointed out, using Bearer Authentication is very common for JWT tokens.

I'm more concerned about what you mean by validating the token. Who signs the token? You? A third party? Is the party that signs the token also the holder of the protected resource?

In case you neither do the signing nor hold the protected resource, then why are you validating the token at all? Just pass it on to the holder of the protected resource.

Stephan van Hulst wrote:
I'm more concerned about what you mean by validating the token. Who signs the token? You? A third party? Is the party that signs the token also the holder of the protected resource?
In case you neither do the signing nor hold the protected resource, then why are you validating the token at all? Just pass it on to the holder of the protected resource.

I think that OP means with "validation", the process to verify if the caller may or not access a given resource, i.e at the very end, extract claims and reconstruct roles. Anyway  your concern is really a good point...
In my own experience, I used to use an external Identity and Access Management  (IAM) system, like KeyCloack, to handle the authentication mechanism and to generate JWT tokens. Depending upon the security level you want
to achive, you can rely on it for validating JWT, signing tokens, handling revocation, and so on. But for simple scenarios, this architecture may be overkill. If you are the token issuer, you may store the tokens you have issued somewhere - on a DBMS, on simply in memory : at every API call, just verify if the token is in your registry or not, and accept or reject is accordingly.

Hello everyone,
Is JWT is used verifying the message from the original sender is not altered?
Its format is like this separated by a period, xxxx.yyyy.zzzz where xxx is the header info, yyyy is the message, zzzz is the hash value of xxxx and yyyy.
If xxxx or yyyyy are altered, the new calculated zzzz' will not match with the original zzzz. This means the message or header is altered.

However, I heard JWT is not complete secure.  An attacker  can steals the original message , alter it, calculate another zzzz'' hash value and send
it to the server side. The attacker will receive a JWT token from the server, attach this JWT token to make subsequent requests.

Basically, the attacker is pretending as the original legitimate user and successfully accesses data from the server.

That's why JWT tokens don't contain a simple hash of the other fields, but rather a signature.

An attacker can't forge a signature if they don't have the private key that belongs to the issuer of the token.

But that's not really important to this topic. You wouldn't write code to sign and validate a token from scratch, you'd rather use a pre-existing library that is considered secure.