Java EE Security.next and JWT (JSON Web Tokens)


David Blevins
 

There is one EC no vote due to lack of effectively JWT support.

I see Rudy has done some work very recently:


Scott has mentioned it recently as well, but I didn’t see a response.  You can add me into the JWT fan-club.

I understand time constraints, but I am also wondering what everyone’s thoughts are on JWT?

Would we need an actual API change or could we just say “you must support them”.  The TCK test would validate the server could:

 - Verify the JWT with a RSA public key (provided by the TCK)
 - Verify the server can map a JWT field to getCallerPrincipal
 - Verify the server can map a JWT field to isCallerInRole

We could punt on the specifics of how the server supports them or where the roles come from and work on those details next revision.  It seems like all servers will/do support them, so there is temptation to sneak it in even if the spec simply says “you must support them with this result” but doesn’t say how.

Rudy, I’m curious what you found in your work.

Will, any thoughts you have are great.

Understandably late and unactionable, but never hurts to ask :)  


-- 
David Blevins
http://twitter.com/dblevins
http://www.tomitribe.com
310-633-3852

Join javaee-security-spec@javaee.groups.io to automatically receive all group messages.