Hi,
I noticed there's a LoginConfig annotation in MT-JWT:
In a way this re-invents the same thing for the 3rd or even 4th time in Java EE; defining and configuring the authentication mechanism, but perhaps now in not such an optimal way. The description says it can be used with many authentication mechanisms, yet it contains an attribute to configure one specific authentication mechanism, namely BASIC. It refers to FORM being supported, yet the required attributes for FORM are not present.
Mirroring the Servlet web.xml XML element that was designed for a fixed amount of authentication mechanisms this seems no ideal, especially not when the description says it may in the future be combined with other authentication mechanisms.
Though the annotation is in the microprofile/auth package, having a LoginConfig annotation in the first place seems to me to be a far too general thing for the MP-JWT spec itself, while at the same time it's far too restricted to be used with other authentication mechanisms.
Since the MP-JWT spec only specifies a single authentication mechanism, namely the one accepting JWT tokens, perhaps a better approach would have been to define a single annotation for it that requires containers to install and configure this mechanism.
In Java EE Security (JSR 375) we introduced the convention of using "[name]AuthenticationMechanismDefinition" annotations for this. These annotations hold the specific attributes to configure a single mechanism, e.g.:
@Retention(RUNTIME)
@Target(TYPE)
public @interface FormAuthenticationMechanismDefinition {
@Nonbinding
LoginToContinue loginToContinue();
}
Or
@Retention(RUNTIME)
@Target(TYPE)
public @interface BasicAuthenticationMechanismDefinition {
@Nonbinding
String realmName() default "";
}
etc
For MP-JWT, this could then be simply:
@Retention(RUNTIME)
@Target(TYPE)
public @interface MPJWTAuthenticationMechanismDefinition {
// No attributes now, but open for future extension
}
Thoughts?
Kind regards,
Arjan Tijms