Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-platform-dev] Moving MicroProfile JWT to JakartaSecurity?

Hi,

 

Speaking of competing specs and Projects Red Hat does under the Eclipse Foundation:

Vertx also a competing Project to Wildfly or Quarkus talks about JWT RBAC:

https://vertx.io/docs/vertx-auth-oauth2/java/#_role_based_access_control

Role Based Access Control

OAuth2 is an AuthN protocol, however OpenId Connect adds JWTs to the token format which means that AuthZ can be encoded at the token level. Currently there are 2 known JWT AuthZ known formats:

  • Keycloak
  • MicroProfile JWT 1.1 spec (from the auth-jwt module)

Meaning Keycloak does not fully comply to or use MP JWT either ;-)

 

Kind Regards,

Werner

 

Von: arjan tijms
Gesendet: Freitag, 11. November 2022 19:32
An: jakartaee-platform developer discussions
Betreff: Re: [jakartaee-platform-dev] Moving MicroProfile JWT to JakartaSecurity?

 

Hi

 

On Fri, Nov 11, 2022 at 6:15 PM Scott Stark <starksm64@xxxxxxxxx> wrote:

For specification projects in a related space, the existence of more than one needs to be justified. There is a reason everyone involved in specification/standards work raises this well trodden satire out at some point:

 

So what do you propose instead then? Having a Jakarta Full-profile or so that includes both EE and MP?

 

As a Jakarta EE user, we can now freely use Form, Basic, Open ID Connect, but not JWT. Even when a MP profile JWT implementation is added, it's not necessarily based on Jakarta Security. Even in a Jakarta EE server that already includes MP components, its JWT implementation does not necessarily have to be Jakarta Security based. Meaning, things like additional identity stores, interceptors, etc are not being picked up for JWT or may even clash.

 

Kind regards,

Arjan Tijms

 

 

 

Back to the top