guicedee-jwt

MicroProfile JWT Auth bridge for GuicedEE with Vert.x 5: VertxJsonWebToken (Vert.x User → JsonWebToken), @Claim injection without @Inject, MicroProfileJwtContext (CallScope-aware request context), ClaimValueProvider, SPI registration (InjectionPointProvider, NamedAnnotationProvider, BindingAnnotationProvider), type-specific claim bindings (String, Set<String>, Long, Integer, Boolean, Optional<T>), Keycloak/OIDC integration via JWKS, and Guice-managed JsonWebToken. Use when bridging Vert.x JWT auth to MicroProfile JWT, injecting JWT claims, configuring @Claim fields, implementing JWT context propagation, or integrating with Keycloak/OIDC identity providers.

5 stars

Best use case

guicedee-jwt is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

MicroProfile JWT Auth bridge for GuicedEE with Vert.x 5: VertxJsonWebToken (Vert.x User → JsonWebToken), @Claim injection without @Inject, MicroProfileJwtContext (CallScope-aware request context), ClaimValueProvider, SPI registration (InjectionPointProvider, NamedAnnotationProvider, BindingAnnotationProvider), type-specific claim bindings (String, Set<String>, Long, Integer, Boolean, Optional<T>), Keycloak/OIDC integration via JWKS, and Guice-managed JsonWebToken. Use when bridging Vert.x JWT auth to MicroProfile JWT, injecting JWT claims, configuring @Claim fields, implementing JWT context propagation, or integrating with Keycloak/OIDC identity providers.

Teams using guicedee-jwt should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/guicedee-jwt/SKILL.md --create-dirs "https://raw.githubusercontent.com/GuicedEE/ai-rules/main/skills/.system/guicedee-jwt/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/guicedee-jwt/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How guicedee-jwt Compares

Feature / Agentguicedee-jwtStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

MicroProfile JWT Auth bridge for GuicedEE with Vert.x 5: VertxJsonWebToken (Vert.x User → JsonWebToken), @Claim injection without @Inject, MicroProfileJwtContext (CallScope-aware request context), ClaimValueProvider, SPI registration (InjectionPointProvider, NamedAnnotationProvider, BindingAnnotationProvider), type-specific claim bindings (String, Set<String>, Long, Integer, Boolean, Optional<T>), Keycloak/OIDC integration via JWKS, and Guice-managed JsonWebToken. Use when bridging Vert.x JWT auth to MicroProfile JWT, injecting JWT claims, configuring @Claim fields, implementing JWT context propagation, or integrating with Keycloak/OIDC identity providers.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# GuicedEE MicroProfile JWT

Bridges the MicroProfile JWT Auth specification to Vert.x 5 JWT authentication inside GuicedEE.

## Core Concept

The module converts a Vert.x `User` (authenticated via `JWTAuth`) into an `org.eclipse.microprofile.jwt.JsonWebToken`, making all standard and custom JWT claims available through the MP JWT API. Claims can be injected directly using `@Claim` — no `@Inject` required.

## Architecture

```
Vert.x JWTAuth → User → VertxJsonWebToken (implements JsonWebToken)
                           ↓
                    MicroProfileJwtContext (CallScope + ThreadLocal)
                           ↓
                    MicroProfileJwtModule (Guice bindings)
                           ↓
                    @Claim("sub") String subject  ← injected per-request
```

## Required Flow

1. Add `com.guicedee.microprofile:jwt` dependency.
2. Configure JWT authentication via `@JwtAuthOptions` on `package-info.java` (from the auth module).
3. Use `@Claim` to inject claims into your classes:
   ```java
   @Claim("sub")
   private String subject;

   @Claim("groups")
   private Set<String> roles;

   @Claim("exp")
   private Long expiration;
   ```
4. Access the full token when needed:
   ```java
   @Inject
   private JsonWebToken jwt;
   ```
5. Configure `module-info.java`:
   ```java
   module my.app {
       requires com.guicedee.microprofile.jwt;
       opens my.app to com.google.guice;
   }
   ```

## Key Classes

### `VertxJsonWebToken`

Bridge from Vert.x `User` to MP `JsonWebToken`. Extracts claims from the User's `principal()` and `accessToken` attribute.

- `getName()` resolves via MP JWT spec: `upn` → `preferred_username` → `sub`
- `getGroups()` maps from the `groups` claim
- `getAudience()` handles both string and array formats
- `getClaim(String)` returns typed values, converting `JsonArray` → `Set<String>` and `JsonObject` → `Map`

### `MicroProfileJwtContext`

Request-scoped holder for the current `JsonWebToken`:
- **Primary:** Stores in `CallScopeProperties` when a CallScope is active (Vert.x HTTP handlers)
- **Fallback:** Uses `ThreadLocal` when no call scope is active (unit tests, non-HTTP code)

```java
// In a route handler or auth filter:
User user = routingContext.user();
MicroProfileJwtContext.setCurrent(new VertxJsonWebToken(user));
// ... handle request ...
MicroProfileJwtContext.clear();
```

Or use the convenience method:
```java
MicroProfileJwtPreStartup.setCurrentUser(routingContext.user());
```

### `ClaimValueProvider<T>`

Guice `Provider<T>` that resolves a claim from the current `JsonWebToken` at injection time.

### `MicroProfileJwtModule`

Guice module (auto-discovered via SPI) that:
1. Binds `JsonWebToken` → `MicroProfileJwtContext::getCurrent`
2. Scans `@Claim`-annotated fields via ClassGraph
3. Creates type-specific `@Named("claimName")` bindings for each discovered claim

Supported field types:
| Type | Example | Null/absent behavior |
|---|---|---|
| `String` | `@Claim("sub") String subject` | `null` |
| `Set<String>` | `@Claim("groups") Set<String> roles` | `Set.of()` |
| `Long` / `long` | `@Claim("exp") Long expiration` | `0L` |
| `Integer` / `int` | `@Claim("level") Integer level` | `0` |
| `Boolean` / `boolean` | `@Claim("email_verified") Boolean verified` | `false` |
| `Optional<String>` | `@Claim("sub") Optional<String> subject` | `Optional.empty()` |
| `Object` | `@Claim("custom") Object data` | `null` |

### `MicroProfileJwtPreStartup`

Pre-startup hook that validates the JWT auth provider availability. Also provides:
```java
MicroProfileJwtPreStartup.setCurrentUser(User user);
```

## SPI Registrations

The module registers three Guice SPIs so `@Claim` works without `@Inject`:

| SPI | Implementation | Purpose |
|---|---|---|
| `InjectionPointProvider` | `ClaimInjectionPointProvider` | Marks `@Claim` as injection point |
| `NamedAnnotationProvider` | `ClaimNamedAnnotationProvider` | Converts `@Claim("sub")` → `@Named("sub")` |
| `BindingAnnotationProvider` | `ClaimBindingAnnotationProvider` | Registers `@Claim` as binding annotation |

## JPMS Module

```java
module com.guicedee.microprofile.jwt {
    requires transitive com.guicedee.vertx;
    requires transitive com.guicedee.guicedinjection;
    requires transitive io.vertx.auth.jwt;
    requires transitive microprofile.jwt.auth.api;
    requires transitive jakarta.json;

    exports com.guicedee.microprofile.jwt;
    exports com.guicedee.microprofile.jwt.implementations;

    provides IGuiceModule with MicroProfileJwtModule;
    provides IGuicePreStartup with MicroProfileJwtPreStartup;
    provides InjectionPointProvider with ClaimInjectionPointProvider;
    provides NamedAnnotationProvider with ClaimNamedAnnotationProvider;
    provides BindingAnnotationProvider with ClaimBindingAnnotationProvider;
}
```

## Keycloak / OIDC Integration

When using Keycloak or any OIDC provider:

1. Configure `@JwtAuthOptions` or `@OAuth2Options` for the provider.
2. Fetch JWKS from the provider's certs endpoint.
3. Filter signing keys only (`use=sig`) to avoid `RSA-OAEP` encryption key errors.
4. Use `JWTAuthOptions.addJwk(JsonObject)` for JWKS JSON keys (not `PubSecKeyOptions`).

Keycloak JWTs include `preferred_username`, `realm_access`, `resource_access`, `email`, `given_name`, `family_name` as standard claims — all accessible via `getClaim()`.

## Startup Flow

```
IGuiceContext.instance().inject()
 └─ MicroProfileJwtPreStartup (validates JWT provider availability)
 └─ MicroProfileJwtModule (Guice bindings)
     ├─ Binds JsonWebToken → MicroProfileJwtContext::getCurrent
     ├─ Scans @Claim-annotated fields via ClassGraph
     └─ Creates per-type @Named("claimName") providers
 └─ HTTP Request arrives
     ├─ Auth handler authenticates → User
     ├─ MicroProfileJwtContext.setCurrent(new VertxJsonWebToken(user))
     ├─ @Claim fields resolved from current JWT
     └─ MicroProfileJwtContext.clear() at request end
```

## Non-Negotiable Constraints

- Module must `requires com.guicedee.microprofile.jwt;`.
- Classes with `@Claim` fields must `opens` their package to `com.google.guice`.
- `@Claim` works **without** `@Inject` (via SPI registration).
- `MicroProfileJwtContext.clear()` **must** be called at end of request to prevent memory leaks.
- The Vert.x auth JWT dependency (`io.vertx:vertx-auth-jwt`) is required at runtime for token verification.
- `JsonWebToken` binding resolves from `MicroProfileJwtContext` — it is `null` outside a request scope.
- Claim name resolution: `@Claim("name")` → value attribute; `@Claim(standard = Claims.sub)` → standard enum name.

Related Skills

guicedee-websockets

5
from GuicedEE/ai-rules

RFC 6455 WebSocket support for GuicedEE using Vert.x 5: call-scoped connections, action-based message routing via IWebSocketMessageReceiver SPI, group management and broadcasting, WebSocketServerOptions, and lifecycle hooks. Use when adding WebSocket messaging, implementing real-time communication, managing WebSocket groups, or creating message receivers.

guicedee-webservices

5
from GuicedEE/ai-rules

SOAP web services for GuicedEE using Apache CXF conventions: JAX-WS annotations (@WebService, @WebMethod, @WebParam, @WebResult), code-first and WSDL-first approaches, endpoint publishing, CXF interceptors and logging, MTOM, WS-Security (WSS4J), SOAP 1.1/1.2 bindings, and Guice DI integration. Use when creating SOAP services, publishing JAX-WS endpoints, configuring CXF bindings, or adding WS-Security.

guicedee-web

5
from GuicedEE/ai-rules

Bootstrap reactive HTTP/HTTPS servers with Vert.x 5 inside GuicedEE: Router setup, BodyHandler configuration, TLS/HTTPS, SPI extension points (VertxRouterConfigurator, VertxHttpServerOptionsConfigurator, VertxHttpServerConfigurator), per-verticle sub-routers, and environment-driven configuration. Use when setting up the Vert.x web server, configuring HTTP/HTTPS, adding custom routes or middleware, or managing server options.

guicedee-vertx

5
from GuicedEE/ai-rules

Build reactive services using Vert.x 5 inside the GuicedEE DI lifecycle: event-bus consumers, publishers, verticle deployment, codecs, throttling, clustering, SPI hooks, and JPMS module setup. Use when adding Vert.x event-bus messaging, deploying verticles, wiring reactive endpoints with Guice injection, configuring Vert.x runtime options, or implementing custom codecs and cluster managers.

guicedee-service-registry

5
from GuicedEE/ai-rules

Named service registry with health-aware resolution for GuicedEE. Register services by simple name, auto-construct URLs from cloud DNS suffix, monitor health status, resolve services via registry:name prefix or bare name in rest-client @Endpoint. Supports aliases, multiple external URLs, Kubernetes internal URLs, and per-service health paths. Use when registering named services, checking service health, resolving service URLs by name, or integrating with rest-client for service-to-service calls.

guicedee-rest

5
from GuicedEE/ai-rules

Build Jakarta REST (JAX-RS) services on Vert.x 5 inside GuicedEE: @Path/@GET/@POST route registration, parameter binding (@PathParam, @QueryParam, @HeaderParam, etc.), Guice-managed resource classes, response handling, content negotiation, and JPMS module setup. Use when creating REST endpoints, configuring Jakarta REST resources, or wiring JAX-RS services with Guice injection.

guicedee-rest-client

5
from GuicedEE/ai-rules

Annotation-driven REST client for GuicedEE using Vert.x 5 WebClient: @Endpoint declarations, RestClient<Send, Receive> injection, authentication strategies (Bearer, Basic, API Key, OAuth2, mTLS), path parameters, environment variable overrides, package-level endpoints, service registry integration (bare name or registry: prefix), and RestClientConfigurator SPI. Use when making outbound REST calls, configuring REST client endpoints, or wiring reactive HTTP clients with Guice injection.

guicedee-rabbitmq

5
from GuicedEE/ai-rules

Annotation-driven RabbitMQ integration for GuicedEE with Vert.x 5: @RabbitConnectionOptions, @QueueExchange, @QueueDefinition, QueueConsumer/QueuePublisher injection, exchange management, queue options (priority, TTL, prefetch), publisher confirms, environment variable overrides, and verticle-scoped connections. Use when adding RabbitMQ messaging, declaring exchanges and queues, creating consumers and publishers, or configuring AMQP topology.

guicedee-persistence

5
from GuicedEE/ai-rules

Reactive JPA persistence with Hibernate Reactive 7, Vert.x 5 SQL clients, and Mutiny sessions inside GuicedEE: DatabaseModule setup, persistence.xml configuration, multi-database support, @EntityManager scoping, and environment variable resolution. Use when adding database persistence, configuring Hibernate Reactive, creating DatabaseModule subclasses, wiring Mutiny.SessionFactory, or managing multiple persistence units.

guicedee-openapi

5
from GuicedEE/ai-rules

Automatic OpenAPI 3.1 spec generation and serving for GuicedEE with Vert.x 5: scans Jakarta REST resources at startup, serves /openapi.json and /openapi.yaml endpoints, Swagger annotations support, @OpenAPIDefinition configuration, and companion Swagger UI module. Use when generating API documentation, serving OpenAPI specs, or configuring Swagger annotations on REST resources.

guicedee-metrics

5
from GuicedEE/ai-rules

Application metrics for GuicedEE using Vert.x 5 Dropwizard Metrics and MicroProfile Metrics 5.1: @Counted, @Timed, @MetricMethod annotations, Guice AOP interceptors, Prometheus scrape endpoint, Graphite reporting, JMX exposure, @MetricsOptions configuration, environment variable overrides, and Vert.x built-in metrics (event bus, HTTP, pools). Use when adding application metrics, configuring Prometheus endpoints, creating custom counters/timers, or monitoring Vert.x internals.

guicedee-mail-client

5
from GuicedEE/ai-rules

Annotation-driven SMTP mail client for GuicedEE with Vert.x 5: @MailConnectionOptions for SMTP server configuration, MailService injection for sending text/HTML/multipart emails with attachments, connection pooling, StartTLS/SSL support, DKIM signing, environment variable overrides, and graceful shutdown. Use when sending emails via SMTP, configuring mail connections, or injecting mail services.