Hi everyone,
I'm trying to build a small custom REST service that is a relying party in OAuth, i.e. it's providing resources to users but the decision whether a given Bearer token is valid and has what scope is attached is not taken by the service itself.
So I'm using
OAuth2 RFC7662 token introspection to check the token at the auth server. The system I'm extending is implementing standard OAuth2 but not with JWT tokens but plain OAuth2 as specified. I.e. the access token is an opaque string. (
related spec: "usually opaque" .... "may self-contain".. - nothing says that the token 'must' self-contain information in JWT.
Unfortunately (and although there explicitly is a separate vertx-auth-jwt module) the vertx-auth-oauth2 module is implictly assuming JWT all over the place. E.g. even though the OAuth2Auth Provider has and "introspect" method that takes a plain String, internally it's building an AccessToken object and that (although the name does not say it) is hardwired from top to bottom to be a JWT token.
I ended up copying code out of the AccessToken Implementation and removing all the JWT specific
Is this by design and intended? Any plans or ideas to e.g. flag a Provider or an AccessToken as "opaque"? Removing the JWT hardwiring would be super breakign so I guess the better way would be to allow losening the restrictions explicitly.
Nikolaus