This is honestly another sticky situation caused by the very unfortunate set of events in the Java EE 8 time frame. There are no non-contentious solutions to it now that will make everyone happy. Just for context, I expressed a clear need to solve both OIDC Connect and JWT in Java EE 8. It was way past due even then.
I don’t think directly referencing MicroProfile in a Jakarta EE specification is a realistic possibility. I believe we had sufficient debate on this topic for Configuration and it is a settled matter now.
It is also very clear these technologies in practical terms are inextricably linked, especially for cloud native applications that need to use both OIDC Connect and JWT in the sample application (a very common scenario that in my estimate now falls in the 80% use case).
I think the least confusing option for end users with a view towards sensible future maintenance is incorporating JWT into Jakarta Security and deprecating it in MicroProfile. Trying to focus on end-to-end usability on such closely related things is bound to be a hazard across two different specification efforts that are hardly aligned.
A workable but obviously less than optimal solution is somehow address integration with JWT in Jakarta Security in some kind of generic way basically targeting MicroProfile JWT but still not referencing it directly. Frankly my head hurts thinking about how you do that exactly. Maybe it’s just that you specify how there can be multiple authentication/authorization mechanisms in a single application that Jakarta Security recognizes via some kind of underlying extension mechanism and go through a similar exercise on the MicroProfile side where MicroProfile can reference that Jakarta Security extension mechanism directly.
My preference would be to first see if consensus can be achieved to move MicroProfile JWT to Jakarta Security for the reasons above I think the second strategy should be plan B if reasonable consensus cannot be achieved on the long term optimal first solution. Plan B could also be a stop gap for some period of time to keep the peace if that’s the practical thing to do for now.
From: es-dev <es-dev-bounces@xxxxxxxxxxx> on behalf of arjan tijms <arjan.tijms@xxxxxxxxx>
Sent: Friday, November 4, 2022 3:12 PM
To: jakartaee-platform developer discussions <jakartaee-platform-dev@xxxxxxxxxxx>; es developer discussions <es-dev@xxxxxxxxxxx>
Subject: [es-dev] Moving MicroProfile JWT to Jakarta Security?
Hi,
In Jakarta Security we had long ago planned to include a JWT authentication mechanism. Some prototypes from around 2016 are still testimony to that.
Meanwhile, MicroProfile has specified JWT, and a couple of implementations of it (such as Payara, OmniFaces and SmallRye) are internally based on Jakarta Security.
We have discussed moving or copying MP specs to EE before, but nothing concrete has been established. Therefore I wonder how to proceed here.
Do we copy over the MP JWT spec to a section in Jakarta Security and somehow keep them in sync?
Or do we reference the MP JWT spec from the Jakarta Security spec with text like: a compliant implementation should provide an authentication mechanism that behaves exactly like MP JWT with the following differences…
Or something else?
Thoughts?
Kind regards,
Arjan Tijms
