cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: Jose4J and JWT
Date Tue, 20 May 2014 11:59:27 GMT
This is how the test code looks at the moment:

https://fisheye6.atlassian.com/browse/cxf/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java?r=fd0528c0f9dd112264f7aeffa04565e18d973884

https://fisheye6.atlassian.com/browse/cxf/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactReaderWriterTest.java?r=fd0528c0f9dd112264f7aeffa04565e18d973884

Jws related code needs a bit of utility support, Jwe looks reasonable 
for now...

Sergey

On 20/05/14 12:51, Sergey Beryozkin wrote:
> I've done an initial commit, the  code is raw, I committed to avoid
> losing it :-) and to make it in time for a 3.0.1 branching.
>
> As I said I've thought a lot about what level of support to offer.
> It probably does not make sense to compete with Jose.4.J which offers a
> comprehensive enough Object Oriented JOSE suport. Apache Oltu also offer
> the support and RestEasy too (Bill and his team always do it first :-)).
>
> In the end I thought of offering something simple enough such that
> people can do the signatures and encryptions whichever way they want but
> also offering some utility code for the main-stream algorithms OOB.
> If people want to use Jose4J or Apache Oltu with CXF then we will simply
> document that it is a matter of registering custom OAuth2 handlers.
> I did not go for a builder style, I wanted JWT claims & headers
> read/written with providers like Jackson or Jettison etc if preferred.
> More refactoring will be going in, plus support for JAX-RS providers
> supporting JSON encryption & validation which goes beyond a pure OAuth2
> related support.
> Eventually I will document it too :-)
>
> Cheers, Sergey
>
>
> On 02/05/14 13:23, Sergey Beryozkin wrote:
>> Hi
>>
>> I've been experimenting for the last couple of months, whenever I get a
>> chance, with having Json Web Token (JWT) supported as part of CXF OAuth2
>> flows.
>>
>> The immediate goal is to support JWT Bearer assertions as grants or
>> authentication credentials at AccessTokenService level OOB (see more
>> below about it) with the longer term goal of plugging in into the
>> OpenId-Connect flows.
>>
>> I've played with Apache Oltu, and could not resist writing something of
>> my own of course :-) and checked few other resources. I have to admit
>> right now that jose4j [1] appears to be the most complete framework
>> already available, as far as the support for singing and encrypting JSON
>> payloads is concerned, not in Maven Central just yet and restricted to
>> Java 7 but it is worth watching.
>>
>> Note, users can easily plugin custom AccessTokenGrant handlers into CXF
>> AccessTokenService and use jose4j right now. The question is what level
>> of support CXF can offer OOB with respect to supporting JWT Bearer
>> assertion (grants) and also, how can CXF can adapt a given plain JWT
>> representation into CXF ServerAccessToken representations should a user
>> wish to use JWT representations as access tokens which is an orthogonal
>> task.
>>
>> As such jose4j won't offer a solution on its own, it has a rich API
>> specifically around encrypting and signing.
>>
>> I'm going to keep experimenting for a while. I will probably come up
>> with some kind of JWT API that will let users plugin or use Jose4j, not
>> sure right now yet...
>>
>> I should say that IMHO the JOSE effort can still be considered as a very
>> new approach, it is being utilized already around but a number of good
>> alternative solutions exist right now, if we talk about SSO + OAuth2, it
>> can be SAML Assertion grants.
>>
>> That said, ignoring JOSE is not an option given that it is obviously
>> going to affect OAuth2 a lot...
>>
>> Sergey
>>
>> [1] https://bitbucket.org/b_c/jose4j/wiki/Home
>>
>>
>>
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Mime
View raw message