Agenda:
Review the proposed API changes:
JWTPrincipal updates
@LoginConfig introduction
JWTClaimType introduction
Review the TCK status:
Updated tokens-se and container profiles control the scope of tests and integrate with a container under test via a provided container tck harness artifact
Progress with verifying a tck harness artifact other than wildfly-swarm
Current scope of tests
Need for a container-optional profile that includes tests for the recommended optional spec behaviors
Review the specification status:
Updates for CDI requirements around injection of JWTPrincipal
Base set of required container API integration is limited to JAX-RS
Other container API integration moved to a recommended but optional section
--
You received this message because you are subscribed to the Google Groups "Eclipse MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile...@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/cd04307a-4e81-4336-a9e5-cdccd1f21d11%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Attendees:
Scott Stark,
Michael Chen,
Chunlong Liang,
David Belvins
Alasdair Nottingham
We went through the current API proposals and decided on updating the names of the types under the org.eclipse.microprofile.jwt package to the following:
JWTClaim -> Claim
JWTClaimPrincipal -> ClaimValue
JWTClaimType -> Claims
JWTPrincpal -> JsonWebToken
With both ClaimValue and JsonWebToken implementing the java.security.Principal interface.
There was a desire to change the package of the LoginConfig annotation to something other than org.eclipse.microprofile.annotation. (We could just move this to the org.eclipse.microprofile.jwt package for 1.0) David pointed out that for @RequestScoped information like JWT claims, we cannot directly inject to a String, so the current example usage will be updated to inject the ClaimValue.
In terms of the value types returned from the JsonWebToken#getClaim(String) method, Alasdair described the desire to have a clear mapping from the JSON type to the returned type, even for private claims. In order to validate this, the TCK will include a JWT that includes a claim not covered in the Claims enum set, for every JSON-B data type and validate that the returned type is consistent with the JSON-B mapping.
There was a discussion around the usage of the LoginConfig annotation on the JAX-RS Application object, and David brought up that you can have multiple JAX-RS Applications in a deployment archive. The question this raised is what happens if there are multiple LoginConfig annotations on these. Scott argued that the deployment archive should be treated as a logical deployment unit with a single authentication mechanism and realm. Alasdair said you could deal with this via the equivalent of a servlet filter and handle authentication based on the application paths. There were concerns about what impacts this might have on the underlying container implementation. It was decided that the TCK would only test one secured root context path with an associated LoginConfig in a given application under test, and the implementation under test would have to support a way of configuring the authentication mechanism for that path. We would not explicitly address the handling of multiple LoginConfig annotations in a given deployment unit.
We ended the call there due to time with the action item to circulate the current API changes and make a push to finalize the API by next Friday’s call. There is a need to finalize the API by that point in order to support a 1.2 release by JavaOne. We talked about needing to get a final API out for feedback and that we could introduce significant changes in a 1.1 release if needed.
Scott said he would be actively driving the finalization of the API and specification in the forums the following week to try to meet that goal.