Support for JWT integration with Spring Security WebAuthn (instead of sessions) #17802
Description
Subject: WebAuthn + JWT Integration with webauthn4j-spring-security
Hi Spring Security Team,
I’m currently working on an authentication system using Spring Security WebAuthn with webauthn4j, and I want to integrate it with JWT tokens instead of using the default session-based authentication.
My setup:
Spring Boot + Spring Security (latest stable version)
webauthn4j-spring-security-core (0.11.2.RELEASE)
Frontend running on https://aali.loca.lt
Custom TempJwtFilter for handling JWTs
Goal: When a user successfully authenticates with WebAuthn (fingerprint/biometric), I want the server to return a signed JWT to the client. This token will then be used for subsequent API requests (stateless, no session cookies).
Here’s a simplified version of my SecurityConfig (Maven project):
@configuration
@EnableWebSecurity(debug = true)
public class SecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http,
AuthenticationManager authManager,
TempJwtFilter tempJwtFilter) throws Exception {
WebAuthnAuthenticationFilter webAuthnFilter = new WebAuthnAuthenticationFilter();
webAuthnFilter.setAuthenticationManager(authManager);
webAuthnFilter.setAuthenticationSuccessHandler((request, response, authentication) -> {
String jwt = "dummy-token"; // TODO: generate real JWT
response.setContentType("application/json");
response.getWriter().write("""
{ "authenticated": true, "token": "%s" }
""".formatted(jwt));
});
webAuthnFilter.setAuthenticationFailureHandler((request, response, exception) -> {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.getWriter().write("{\"authenticated\": false}");
});
return http
.cors(cors -> cors.configurationSource(corsConfigurationSource()))
.csrf(csrf -> csrf.disable())
.addFilterBefore(tempJwtFilter, UsernamePasswordAuthenticationFilter.class)
.webAuthn(auth -> auth.rpId("aali.loca.lt"))
.build();
}
}
The Problem
The current WebAuthnAuthenticationFilter + WebAuthnAuthenticationProvider work seamlessly with session management.
However, if I try to integrate JWT (stateless auth), there’s no clear documentation or examples on how to replace the session with JWT handling.
I can hack it by writing a success handler that generates a JWT, but then I’m unsure what the recommended way is to:
Replace SecurityContext population with a JWT-based mechanism.
Avoid session persistence entirely.
Keep the WebAuthn flow compliant with Spring Security conventions.
Feature Request
Could you provide:
Guidance (or official documentation) on how to integrate WebAuthn with JWT tokens in Spring Security?
Possibly an extension/example project where successful WebAuthn authentication issues a JWT instead of establishing a session.
Clarification on whether this is supported out of the box, or if custom filters/providers are the only path.
Thank you for your time and help!