cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Jose4J and JWT
Date Fri, 02 May 2014 12:23:19 GMT

I've been experimenting for the last couple of months, whenever I get a 
chance, with having Json Web Token (JWT) supported as part of CXF OAuth2 

The immediate goal is to support JWT Bearer assertions as grants or 
authentication credentials at AccessTokenService level OOB (see more 
below about it) with the longer term goal of plugging in into the 
OpenId-Connect flows.

I've played with Apache Oltu, and could not resist writing something of 
my own of course :-) and checked few other resources. I have to admit 
right now that jose4j [1] appears to be the most complete framework 
already available, as far as the support for singing and encrypting JSON 
payloads is concerned, not in Maven Central just yet and restricted to 
Java 7 but it is worth watching.

Note, users can easily plugin custom AccessTokenGrant handlers into CXF 
AccessTokenService and use jose4j right now. The question is what level 
of support CXF can offer OOB with respect to supporting JWT Bearer 
assertion (grants) and also, how can CXF can adapt a given plain JWT 
representation into CXF ServerAccessToken representations should a user 
wish to use JWT representations as access tokens which is an orthogonal 

As such jose4j won't offer a solution on its own, it has a rich API 
specifically around encrypting and signing.

I'm going to keep experimenting for a while. I will probably come up 
with some kind of JWT API that will let users plugin or use Jose4j, not 
sure right now yet...

I should say that IMHO the JOSE effort can still be considered as a very 
new approach, it is being utilized already around but a number of good 
alternative solutions exist right now, if we talk about SSO + OAuth2, it 
can be SAML Assertion grants.

That said, ignoring JOSE is not an option given that it is obviously 
going to affect OAuth2 a lot...



View raw message