@Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { final Jwt unvalidatedJwt; try { unvalidatedJwt = new SimpleJwtParser().parse(authentication.getCredentials().toString()); } catch (JwtParseException e) { throw new BadCredentialsException("Invalid JWT", e); } final TenantContext tenantContext = clientRegistry.get(unvalidatedJwt.getIssuer()).get(); final String rawJwt = (String) authentication.getCredentials(); NimbusMacJwtReader reader = new NimbusMacJwtReader(tenantContext.getSharedSecret()); try { final com.atlassian.jwt.Jwt verifiedJwt = reader.readAndVerify(rawJwt, Collections.<String, JwtClaimVerifier>emptyMap()); final TenantRequestContext tenantRequestContext = TenantRequestContext.initialise(tenantContext, verifiedJwt); final JwtAuthentication jwtAuthentication = new JwtAuthentication(authentication.getPrincipal().toString(), verifiedJwt, tenantRequestContext); log.info("Authenticated with JWT as principal {} from issuer {}", jwtAuthentication.getPrincipal(), verifiedJwt.getIssuer()); return jwtAuthentication; } catch (JwtParseException | JwtVerificationException e) { throw new BadCredentialsException("Invalid JWT", e); } } }