Java 17 early access support, JWE support for access and ID tokens, MicroProfile Context Propagation 1.3, and more in Open Liberty 21.0.0.10-beta

Ryan Storey on Sep 7, 2021

announcements , microprofile , java-se , beta , security , jakarta-ee ,

Post available in languages:

Open Liberty 21.0.0.10-beta provides long-awaited Java 17 early access support, offering a lot of new enhancements and functionality. Also included is JWE token format support for OpenID Connect Client (OIDC) and Social Media Login. This beta also offers updates to MicroProfile Context Propagation, meaning that you can now use MicroProfile Context Propagation within your Jakarta EE 9 applications, as well as Jakarta EE 9 support for the remaining Open Liberty value-add features.

We have two beta packages for Open Liberty:

All Beta Features: a larger package that contains all Open Liberty beta features (including Jakarta EE 9 beta features) and GA features and functions.
Jakarta EE 9 Beta Features: a lightweight package that contains only the Jakarta EE 9 features.

This means that you can now try out our in-development Open Liberty features by just adding the relevant coordinates to your build tools.

If you try either package, let us know what you think.

All Beta Features package

The All Beta Features package includes the following beta features:

Java 17 early access support
JWE support for OpenID Connect Client and Social Media Login
MicroProfile Context Propagation 1.3
Jakarta EE 9 support for the remaining Open Liberty value-add features

Java 17 early access support

The long awaited release of Java 17 is coming soon and it will be the first LTS (long term support) release since Java 11. It will offer a lot of new functionality and environmental changes that you will want to check into. Because it will be a milestone release, we thought you might like to take a test drive with the early access release of Java 17 (we have been testing with build 35). This will allow you to test out your existing applications and microservices or write a new one on your favorite server runtime, Open Liberty!

Some of the noteworthy highlights from Java 12-17:

By taking advantage of trying out the new changes in Java 17 now, you get more time to review your applications, microservices and runtime environments and be a step ahead when it becomes generally available.

To give this a try today, download the early access release of Java 17, download and install the 21.0.0.10-beta version of Open Liberty, edit your Liberty server’s server.env file to point JAVA_HOME to your Java 17 installation and start testing!

For more information on Java 17, please visit the Java 17 release notes page, API Javadoc page or download page. For more information on Open Liberty, please visit our documentation page.

*Note: As we work towards full Java 17 support ourselves, please excuse any of our functionality that might not be 100% ready yet. If you do hit any issues, let us know by providing feedback.

JWE support for OpenID Connect Client and Social Media Login

With this beta, the OpenID Connect Client 1.0 and Social Media Login 1.0 features support receiving tokens in the JSON Web Encryption (JWE) format. A JWE is a way to represent encrypted content using JSON. In addition to supporting JWE, the OpenID Connect Client 1.0 feature provides an option to temporarily cache access token validation results for inbound propagation. Both features add support for the RS384, RS512, HS384, HS512, ES256, ES384, and ES512 signature algorithms.

Prior to this beta, the OpenID Connect Client 1.0 and Social Media Login 1.0 features did not support consuming access or ID tokens in JWE format. This limited our interoperability with other OIDC clients and providers that use JWEs to propagate access tokens or provide identifying information about the authenticated user. With this beta, the OpenID Connect Client 1.0 and Social Media Login 1.0 features will be able to interoperate with OpenID Connect Providers that provide JWE formatted access and ID tokens.

You can configure a Liberty OpenID Connect Relying Party to process access and ID tokens that are in a JWE format. The corresponding OpenID Connect Provider should support creating JWE access or ID tokens.

Set the OpenID Connect Provider with the OpenID Connect Relying Party’s public key that is used to encrypt the Content Encryption Key according to the OpenID Connect Provider’s documentation.
Set the keyManagementKeyAlias attribute to the private key alias of the key management key that is used to decrypt the Content Encryption Key of JWE token. The key must exist in the keyStore configured for the SSL configuration referred by the the sslRef attribute. For example, <openidConnectClient keyManagementKeyAlias="privateKeyAlias" />

Optional: Configure access token cache.

You can configure a Liberty OpenID Connect Relying Party to cache access token validation results for inbound propagation.

Set the accessTokenCacheEnabled attribute to true.
Set the accessTokenCacheTimeout attribute to a duration specifying how long an authenticated subject that is created by using a propagated access token is cached.
Set the tokenReuse attribute to true if the OpenID Connect Relying Party must cache results for a JWT access token that includes a jti claim. Although enabling this support may result in a performance improvement, it is recommended that the value for the accessTokenCacheTimeout attribute is short to reduce the possibility of a stale result as compared to what a validation call to the OpenID Connect Provider would have produced.

You can also configure Liberty OIDC Social Login to process ID tokens that are in a JWE format. The corresponding OpenID Connect Provider should support creating JWE ID tokens.

Set the OpenID Connect Provider with the OIDC Social Login’s public key that is used to encrypt the Content Encryption Key according to the OpenID Connect Provider’s documentation.
Set the keyManagementKeyAlias attribute to the private key alias of the key management key that is used to decrypt the Content Encryption Key of JWE token. The key must exist in the keyStore configured for the SSL configuration referred by the the sslRef attribute. For example, <oidcLogin keyManagementKeyAlias="privateKeyAlias" />

The signatureAlgorithm attributes of both elements now support the RS384, RS512, HS384, HS512, ES256, ES384, and ES512 signature algorithms.

<openidConnectClient signatureAlgorithm="RS384"/> <oidcLogin signatureAlgorithm="RS384"/>

For more information about OpenID Connect Client refer to the OpenID Connect Client specification.

MicroProfile Context Propagation 1.3

MicroProfile Context Propagation 1.3 Release Candidate 1 adds support for Jakarta EE 9 packages (jakarta.*) and eventual alignment with the MicroProfile 5.0 platform. With the 1.3 RC1 release, you can now use MicroProfile Context Propagation within your Jakarta EE 9 applications.

To enable the new beta features in your app, add them to your server.xml:

<server>
  <featureManager>
    <feature>cdi-3.0</feature>
    <feature>jndi-1.0</feature>
    <feature>mpContextPropagation-1.3</feature>
    <feature>servlet-5.0</feature>
  </featureManager>
</server>

If you’re using Maven, here are the coordinates:

<dependency>
    <groupId>org.eclipse.microprofile.context-propagation</groupId>
    <artifactId>microprofile-context-propagation-api</artifactId>
    <version>1.3-RC1</version>
</dependency>

For more information on this MicroProfile Context Propagation update, refer to the JavaDoc and specification.

Jakarta EE 9 support for the remaining Open Liberty value-add features

In January of this year we published the Open Liberty 21.0.0.2-beta release blog post which announced Open Liberty becoming the first vendor product to be Jakarta EE Web Profile 9.0 compatible, and since then we’ve continued to deliver more Jakarta EE 9 support. This included 9.0 Full Platform support, 9.1 Web Profile and Full Platform support, and incremental support of Jakarta 9 for the Open Liberty value-add features. With the 21.0.0.10-beta release, we are proud to announce that we have now completed our journey by adding Jakarta EE 9 support for the remaining value-add features! The value-add features with Jakarta EE9 support that are added in this beta release are as follows:

Admin Center (adminCenter-1.0)
Batch Management (batchManagement-1.0)
gRPC (grpc-1.0)
gRPC Client (grpcClient-1.0)
Web Response Cache (webCache-1.0)
Web Services Atomic Transaction (wsAtomicTransaction-1.2)
Web Services Security (wsSecurity-1.1)
Web Services Security SAML (wsSecuritySaml-1.1)

Existing server configurations that use these value-add features will now work with Jakarta EE 9 features when migrating applications in those server configuration to use Jakarta EE9 technologies.

Next on the horizon is MicroProfile 5.0, which will bring Jakarta EE 9 support to the various MicroProfile features.

Try it now

To try out these features, just update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 15, Java SE 11, or Java SE 8.

If you’re using Maven, here are the coordinates:

<dependency>
  <groupId>io.openliberty.beta</groupId>
  <artifactId>openliberty-runtime</artifactId>
  <version>20.0.0.10-beta</version>
  <type>pom</type>
</dependency>

Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[20.0.0.10-beta,)'
}

Or take a look at our Downloads page.

Jakarta EE 9 Beta Features package

Open Liberty is the first vendor product to be Jakarta EE Web Profile 9.0 compatible since the 21.0.0.2-beta release. Open Liberty is also the first vendor product to be added to the Jakarta EE Platform 9.0 compatability list, with the release of 21.0.0.3-beta. Open Liberty 21.0.0.6-beta further expanded on this compatability by including new Jakarta EE9 supporting features, and 21.0.0.10-beta offers the same compatability with Jakarta EE9 with performance enhancements.

Enable the Jakarta EE 9 beta features in your app’s server.xml. You can enable the individual features you want or you can just add the Jakarta EE 9 convenience feature to enable all of the Jakarta EE 9 beta features at once:

  <featureManager>
    <feature>jakartaee-9.0</feature>
  </featureManager>

Or you can add the Web Profile convenience feature to enable all of the Jakarta EE 9 Web Profile beta features at once:

  <featureManager>
    <feature>webProfile-9.0</feature>
  </featureManager>

Try it now

To try out these Jakarta EE 9 features on Open Liberty in a lightweight package, just update your build tools to pull the Open Liberty Jakarta EE 9 Beta Features package instead of the main release. The beta works with Java SE 15, Java SE 11, or Java SE 8.

If you’re using Maven, here are the coordinates:

<dependency>
    <groupId>io.openliberty.beta</groupId>
    <artifactId>openliberty-jakartaee9</artifactId>
    <version>20.0.0.10-beta</version>
    <type>zip</type>
</dependency>

Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-jakartaee9', version: '[20.0.0.10-beta,)'
}

Or take a look at our Downloads page.

Your feedback is welcomed

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.

See all blog posts