auth-core is a resilient Authentication Microservice built with Spring Boot 3.4.1 and Java 21. It manages user identity, issues JWT tokens, and broadcasts login events via Kafka to the cloud.
- JWT Authentication: Stateless security using
io.jsonwebtoken(JJWT 0.12.6). - H2 Database: Fast, in-memory user storage (
jdbc:h2:mem:authdb). - Resilient Kafka Design: The login flow is decoupled from Kafka. If the broker is unreachable or certificates are missing, the login still succeeds.
- Aiven Cloud Ready: Includes pre-configured (commented) templates for SSL-based Aiven connections.
- Smart Configuration: Uses Spring placeholders
${VAR:default}to allow zero-config local starts while supporting cloud overrides.
- Java: 21
- Framework: Spring Boot 3.4.1
- Security: Spring Security + JWT
- Data: Spring Data JPA + H2
- Messaging: Apache Kafka
- Lombok: For boilerplate-free code
| Method | Endpoint | Access | Description |
|---|---|---|---|
| POST | /auth/login |
Public | Authenticates user and returns a JWT |
| GET | /h2-console |
Public | Database management interface (H2) |
| ANY | /** |
Authenticated | All other routes require a valid Bearer Token |
JSON
POST /auth/login
Content-Type: application/json
{
"identifier": "admin@byteentropy.com",
"secret": "password123"
}
JSON
{
"token": "eyJhbGciOiJIUzI1NiJ9...",
"type": "Bearer"
}
The application uses a fail-fast, run-anywhere strategy. It defaults to a local setup to ensure the app starts even without a Kafka cluster.
To connect to Aiven, follow these steps:
- Place your
.p12and.jksfiles insrc/main/resources/certs/. - Uncomment the AIVEN CLOUD TEMPLATE section in
application.properties. - Fill in your specific Aiven URL and Service Password.
| Variable | Default | Description |
|---|---|---|
KAFKA_URL |
localhost:9092 |
Cloud or local Kafka broker address |
KAFKA_PROTO |
PLAINTEXT |
Set to SSL for Aiven cloud |
KAFKA_KEY_PASS |
(Empty) | Password for Aiven certificates |
JWT_SECRET |
(Hardcoded) | 256-bit secret key for JWT signing |
Works immediately. If no Kafka is found, the app will log a warning but stay functional.
mvn spring-boot:runIf you prefer not to edit the properties file, use environment variables:
KAFKA_URL=your-service.aivencloud.com:12345 \
KAFKA_PROTO=SSL \
KAFKA_KEY_PATH=file:$(pwd)/src/main/resources/certs/client.keystore.p12 \
KAFKA_KEY_PASS=your_password \
mvn spring-boot:runUse the following command to authenticate and receive a JWT:
curl -X POST http://localhost:8080/auth/login \
-H "Content-Type: application/json" \
-d '{
"identifier": "admin@byteentropy.com",
"secret": "password23"
}'Copy the token string from the response and paste it into JWT.io to inspect the claims and validity.
The .gitignore is configured to ignore *.p12, *.jks, and *.pem to prevent accidental leaks.
max.block.ms=2000 ensures that Kafka connection attempts never hang the login process for more than 2 seconds.
The service publishes login attempts to the auth-events topic. Success and Fail both.
-
Change the Secret Key: Never use the default secret key provided in the application.properties for a live app.
-
Swap H2 for a Persistent DB: For production, change the spring.datasource properties to point to PostgreSQL or MySQL.
-
Expand Identity: Add fields like firstName, lastName, or mfaEnabled to the Identity entity.
-
Kafka Configuration: If you aren't using Kafka, you can remove the kafkaProvider logic in AuthService to simplify the code.