cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Re: Jose4J and JWT
Date Tue, 20 May 2014 11:51:32 GMT
I've done an initial commit, the  code is raw, I committed to avoid 
losing it :-) and to make it in time for a 3.0.1 branching.

As I said I've thought a lot about what level of support to offer.
It probably does not make sense to compete with Jose.4.J which offers a
comprehensive enough Object Oriented JOSE suport. Apache Oltu also offer 
the support and RestEasy too (Bill and his team always do it first :-)).

In the end I thought of offering something simple enough such that 
people can do the signatures and encryptions whichever way they want but 
also offering some utility code for the main-stream algorithms OOB.
If people want to use Jose4J or Apache Oltu with CXF then we will simply 
document that it is a matter of registering custom OAuth2 handlers.
I did not go for a builder style, I wanted JWT claims & headers 
read/written with providers like Jackson or Jettison etc if preferred.
More refactoring will be going in, plus support for JAX-RS providers 
supporting JSON encryption & validation which goes beyond a pure OAuth2 
related support.
Eventually I will document it too :-)

Cheers, Sergey

On 02/05/14 13:23, Sergey Beryozkin wrote:
> Hi
> I've been experimenting for the last couple of months, whenever I get a
> chance, with having Json Web Token (JWT) supported as part of CXF OAuth2
> flows.
> The immediate goal is to support JWT Bearer assertions as grants or
> authentication credentials at AccessTokenService level OOB (see more
> below about it) with the longer term goal of plugging in into the
> OpenId-Connect flows.
> I've played with Apache Oltu, and could not resist writing something of
> my own of course :-) and checked few other resources. I have to admit
> right now that jose4j [1] appears to be the most complete framework
> already available, as far as the support for singing and encrypting JSON
> payloads is concerned, not in Maven Central just yet and restricted to
> Java 7 but it is worth watching.
> Note, users can easily plugin custom AccessTokenGrant handlers into CXF
> AccessTokenService and use jose4j right now. The question is what level
> of support CXF can offer OOB with respect to supporting JWT Bearer
> assertion (grants) and also, how can CXF can adapt a given plain JWT
> representation into CXF ServerAccessToken representations should a user
> wish to use JWT representations as access tokens which is an orthogonal
> task.
> As such jose4j won't offer a solution on its own, it has a rich API
> specifically around encrypting and signing.
> I'm going to keep experimenting for a while. I will probably come up
> with some kind of JWT API that will let users plugin or use Jose4j, not
> sure right now yet...
> I should say that IMHO the JOSE effort can still be considered as a very
> new approach, it is being utilized already around but a number of good
> alternative solutions exist right now, if we talk about SSO + OAuth2, it
> can be SAML Assertion grants.
> That said, ignoring JOSE is not an option given that it is obviously
> going to affect OAuth2 a lot...
> Sergey
> [1]

View raw message