Indeed, although that would make the practical implementation of MicroProfile quite hard, as practically speaking most are based on Java EE technology.
The MP JWT spec does say this btw:
An extended form of authorization on a per service basis using a "resource_access" claim has been postponed to a future release. See Future Directions for more information.
Which is not exactly the same, but close.
Indeed, but you can hardly blame the spec. It was decided that JWT support was needed for MicroProfile, but then it was discovered that there actually wasn't much foundation in MP to build it on, so a stand-in foundation was seemingly somewhat hastily added.
The spec says as much:
Since the MicroProfile does not specify a deployment format, and currently does not rely on servlet metadata descriptors, we have added an org.eclipse.microprofile.jwt.LoginConfig annotation that provides the same information as the web.xml login-config element. It’s intended usage is to mark a JAX-RS Application as requiring MicroProfile JWT RBAC as shown in the following sample:
So the LoginConfig annotation may or may not hold only for JAX-RS, and it may or may not be used to define other authentication mechanisms to be used as well, despite that it's intended usage is only "to mark a JAX-RS Application as requiring MicroProfile JWT RBAC".
There's also no place in the LoginConfig annotation to define the parameters needed for JWT.
Strangely though, but mirrored from the web.xml version, the realmName element is there:
/**
* The realm name element specifies the realm name to
use in HTTP Basic authorization.
* @return
*/
public String realmName() default "";
As the documentation says, it's ONLY used for HTTP Basic authorization. But despite that, WildFly Swarm uses it to put the JBoss specific security domain in (which is also more or less mandatory on WildFly).
Also despite it mirroring the the web.xml element, the FORM parameters are missing, so it doesn't quite match web.xml at all.
The documentation for authMethod says:
Supported values include
* "BASIC", "DIGEST", "FORM", "CLIENT-CERT", "MP-JWT", or a vendor-specific
* authentication scheme.
But if FORM is used, where does one specify the login page and the error page?
Altogether I think @LoginConfig should just be removed from the JWT spec.
Kind regards,
Arjan Tijms