Re: Java EE and JWT (JSON Web Tokens)

reza_rahman <reza_rahman@...>

Certainly worth exploring if doing anything is possible. It does come up often enough these days at clients along with OAuth/OpenID Connect.

-------- Original message --------
From: David Blevins <dblevins@...>
Date: 7/10/17 9:10 PM (GMT-05:00)
Subject: [javaee-security-spec] Java EE and JWT (JSON Web Tokens)

There is one EC no vote due to lack of effectively JWT support.

I see Rudy has done some work very recently:

Scott has mentioned it recently as well, but I didn’t see a response.  You can add me into the JWT fan-club.

I understand time constraints, but I am also wondering what everyone’s thoughts are on JWT?

Would we need an actual API change or could we just say “you must support them”.  The TCK test would validate the server could:

 - Verify the JWT with a RSA public key (provided by the TCK)
 - Verify the server can map a JWT field to getCallerPrincipal
 - Verify the server can map a JWT field to isCallerInRole

We could punt on the specifics of how the server supports them or where the roles come from and work on those details next revision.  It seems like all servers will/do support them, so there is temptation to sneak it in even if the spec simply says “you must support them with this result” but doesn’t say how.

Rudy, I’m curious what you found in your work.

Will, any thoughts you have are great.

Understandably late and unactionable, but never hurts to ask :)  

David Blevins

Join to automatically receive all group messages.