Re: [microprofile] Re: [jakarta-security-dev] Jakarta Security and MicroProfile JWT interlock call

[Sergey Beryozkin]

Hey Emily

On Thu, May 25, 2023 at 6:24 PM 'Emily Jiang' via MicroProfile <microp...@googlegroups.com> wrote:

Thank you Sergey for your comments! It meant to stress that the implementation of the bridge spec is not forced to use MP JWT, MP Config as they can use alternative technologies. As long as they can get the annotations and attributes to work with all TCKs to pass, they will be fine. Feel free to suggest different wording on the proposal!

What I'm trying to say is that the `JsonWebToken` API is part of the MP JWT story. It is documented as a token (claims) representation.

So my proposal would be, in the code example, showing how to access token claims programmatically, at least put focus on

securityContext.getPrincipalsByType(JsonWebToken.class)

which Ondre prototyped in this thread earlier. Listing an alternative Jakarta Security specific option is not a problem as long as it is not portrayed as a primary

option to access the complete token claims representation - which, in context of the MP JWT and Jakarta Security interlock, may be confusing.

Requiring supporting `JsonWebToken` injection, as opposed to making it optional, would be good too IMHO.

Cheers Sergey

 

Thanks

Emily

On Thu, May 25, 2023 at 5:17 PM Sergey Beryozkin <sbia...@redhat.com> wrote:

Hi Emily, All

On Thu, May 25, 2023 at 4:46 PM 'Emily Jiang' via MicroProfile <microp...@googlegroups.com> wrote:

At today's meeting, we (John, Michael, Adam and I) discussed the proposal briefly. We think the bridge spec has no direct dependency on a particular version of MP JWT spec as it only borrows the configuration properties. This is pretty good news. We really need to work out where the bridge spec lives. Since it has no direct dependencies on MP JWT and it adds onto Jakarta Security, it makes more sense to live under Jakarta EE. The other suggestion is to add this to Jakarta Security spec as an optional part (suggested by Ondro). Please comment here on the thread.

Nice work, thanks.

What looks problematic to me though is that a programmatic access to the token claims representation starts diverging in this proposal.

Particularly, the proposal says:

- MP JWT `JsonWebToken` injection is optional

- shows an example how token claims can get accessed via Jakarta specific JWT claims API.

It makes me a little bit confused about the interlock goal.

What exactly is it if the users have to rewrite their code which uses MP JWT JsonWebToken ?

IMHO some minimum portability guarantee should be part of the successful resolution.

Cheers, Sergey

 

The next call will be on 8th June.

Thanks,

Emily

On Thu, May 25, 2023 at 9:39 AM Emily Jiang <emij...@googlemail.com> wrote:

A quick reminder for today's meeting on Jakarta Security and MP JWT: The agenda is to discuss the proposal mentioned in the minute.

Joining in details: https://eclipse.zoom.us/j/85366098724

Thanks

Emily

On Tue, May 16, 2023 at 10:42 AM 'Emily Jiang' via MicroProfile <microp...@googlegroups.com> wrote:

Hi Ondro, Sergey,

Thanks for providing the feedback! Ondro, based on my understanding, your assumption were correct. Logically speaking, it makes more sense for the bridge spec resides in Jakarta EE as it is a kind of addendum for Jakarta Security, which Arjan is also advocating for. I am fine for it to be in MicroProfile as well. I don't think it matters too much.

In the next call, we will agree on the content of the bridge spec.  We can also discuss your suggestion of putting it into Jakarta Security. I think some people have concerns of circular dependency. However, if we lock down the part of MP JWT (pretty much the concept), it might not be a problem.

Thanks

Emily

On Monday, May 15, 2023 at 7:19:14 PM UTC+1 mih...@omnifish.ee wrote:

Hi Sergey,

I think you mean something like securityContext.getPrincipalsByType(JsonWebToken.class)

You are right, this would be better to specify in a spec that is on top of both specs. And I realized there are more things like that, e.g. the mapping between properties of @JwtAuthenticationMechanismDefinition and MP config properties. In my proposal I assumed these would be implicitly provided by implementors but it's better to specify this in a spec.

However, I still think that it might be worthy adding @JwtAuthenticationMechanismDefinition to the Security Spec, because it's not related to MicroProfile. In the Security spec, it wouldn't define any mapping between annotation properties and MP config values, although the Security spec would keep MP config values in mind when designing the API. The format of the JWT, validation and handling of the JWT would be left intentionally unspecified, so that they can be specified in the bridge spec. I admit this would be a little more complicated but it would allow adding some JWT support to pure Jakarta EE without any MP specs.

I'm not sure whether it's worth it though, just an idea. There are probably very few Jakarta EE implementations which wouldn't want to implement MP JWT and the bridge spec. What do others think?

Ondro

On Sunday, May 14, 2023 at 6:02:56 PM UTC+2 Siarhei Biarozkin wrote:

Hi,

On Fri, May 12, 2023 at 9:55 PM Ondro Mihályi <mih...@omnifish.ee> wrote:

Hi,

I'm sorry I couldn't attend the call, I was unexpectedly travelling on Thursday.

I read the google doc with the draft and I have a few thoughts. I understand the following, please correct me if I'm wrong:

• The new bridge spec would introduce @JwtAuthenticationMechanismDefinition. This annotation doesn't make much sense with Microprofile JWT and would be ignored in a pure MicroProfile runtime. It would only work in a Jakarta EE runtime, right?
  
• No other APIs would be defined by the bridge spec
• The bridge spec would define that runtimes must comply with some non-API parts of MicroProfile JWT spec
• The bridge spec defines accessing claims via Jakarta SecurityContext, which again makes sense only in a Jakarta EE runtime, not in a pure MicroProfile runtime

If all above is correct, then I have an idea to simplify all of this:

• The bridge spec would be actually a subset of MP JWT and Jakarta Security
  
• The part of the MicroProfile JWT spec, which the proposal refers to, would be moved to this new bridge spec
• The parts related to Jakarta Security would be added to the Jakarta Security spec directly
• Both Jakarta Security and MicroProfile JWT would depend on this bridge spec, which specifies a common format of the JWT, validation and handling of the JWT

As a result, the spec would reside in Jakarta EE and it would define basically only the common format of the JWT, validation and handling of the JWT. Jakarta Security would define @JwtAuthenticationMechanismDefinition and injecting claims on top of it. MicroProfile JWT would define JsonWebToken on top of it

Do you mean Jakarta Security users will have no way to work directly with the token representation ?

Individual claim injection can work for sure, but can be limiting...

Thanks Sergey

 

and means of configuration using Microprofile Config.

If we'd like to make it even simpler, the whole bridge spec could be part of Jakarta Security, which would define it as a profile or a subspec. Then MicroProfiel would require only this profile/subspec of Jakarta Security.

I'm proposing this with the assumption that the format of the JWT, validation and handling of the JWT is already pretty stable in MicroProfile JWT and it would rarely or never need to be updated. Then it doesn't matter if it stays in MP JWT or in Jakarta EE and it would greatly simplify the solution for Jakarta Security and MicroProfile JWT interlock.

Ondro

On Thu, May 11, 2023 at 11:29 PM Emily Jiang <emij...@googlemail.com> wrote:

Further to today's call, I have started a googledoc to draft the proposal that we are going to either submit to Jakarta EE or MP. Please directly comment on the proposal and we will iterate on it. We will try to finalise the proposal in the next call and start the specification.

Thanks

Emily

On Thu, May 11, 2023 at 2:24 PM Emily Jiang <emij...@googlemail.com> wrote:

A quick reminder to say the upcoming call is today at 4:00pm BST time. Hope to see you there!

Join Zoom Meeting
https://eclipse.zoom.us/j/85366098724

Minutes here

Thanks

Emily

On Thu, Apr 20, 2023 at 4:23 PM Emily Jiang <emij...@googlemail.com> wrote:

Today we had another call to discuss this topic further. Since the time slot is too early for US folks, the attendance was quite low. Please see our discussion in the minutes and the recording will be added to the minutes soon. Please add your comments either on this list or on the doc. We discussed the future call time and agreed to delay the call for 2 hours so that more people can join next time. The next call will be at 11th May 16:00BST and then occur every other week due to travelling and meeting clashes. I will send a reminder email when the time is closer. Please let me know if you have any questions/or concerns.

Thanks

Emily

On Wed, Apr 12, 2023 at 8:37 PM Emily Jiang <emij...@googlemail.com> wrote:

As promised, I have scheduled a few weekly calls for this topic. The joining details can be found here (please see the meetings on Thursdays). The meeting will start on 20th April 2:00pm UK time.

Thanks,

Emily

On Wed, Mar 15, 2023 at 10:08 PM Emily Jiang <emij...@googlemail.com> wrote:

Thank you all for attending today's meeting and contributing your thoughts! We had a very productive conversation with the agreed mission to solve.The minutes can be accessed here. Please add your comments on the doc especially if you could not attend today's call. The link to the recording can be found from the minutes. We will have a few regular subsequent calls after we have all got into summer time saving mode.

In the meantime, please discuss this on this thread or on the minute doc.

Thanks

Emily

On Mon, Mar 13, 2023 at 10:19 PM Emily Jiang <emij...@googlemail.com> wrote:

Thank you to the ones who registered your availability! The most voted slot is Wednesday 15th March 5:00-6:00pm GMT. I have created a meeting invitation on the MicroProfile calendar here. The call will be recorded and the recording will be made available in due course.

Thanks

Emily

On Wed, Mar 8, 2023 at 5:50 PM Emily Jiang <emij...@googlemail.com> wrote:

We discussed the topic of "Jakarta Security and MicroProfile JWT" in various threads. You can read some discussion here.

I would like to volunteer to move this issue forward via chairing some calls to discuss the technical solutions for this issue. I have created this doodle pool for anyone who is interested in the discussion of the issue where Jakarta security uses MicroProfile JWT. We had some internal conversations in IBM and will present a couple of options to this issue and would like to hear some feedback from you. Please register your interest and availability so that I can schedule a call accordingly.

Thanks

Emily

--

Thanks
Emily

--

Thanks
Emily

--

Thanks
Emily

--

Thanks
Emily

--

Thanks
Emily

--

Thanks
Emily

--

Thanks
Emily

_______________________________________________
jakarta-security-dev mailing list
jakarta-se...@eclipse.org
To unsubscribe from this list, visit https://accounts.eclipse.org

--
You received this message because you are subscribed to the Google Groups "MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CABd%3DrHfNoUk%2B6hHNGmPVgnUV-Hk%2B-1m93fyUbuYN6ovCCs7kwg%40mail.gmail.com.

--
You received this message because you are subscribed to a topic in the Google Groups "MicroProfile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/microprofile/5VNyxjhHTbA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to microprofile...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/8ecf739d-3276-48bf-ab0e-d35c562708dfn%40googlegroups.com.

--

Thanks
Emily

--

Thanks
Emily

--
You received this message because you are subscribed to the Google Groups "MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CAECq3A9PGNK_CBjB-BFC_LXGuw_6u97xxgQ_VYV1CE%3D__azB_Q%40mail.gmail.com.

--
You received this message because you are subscribed to a topic in the Google Groups "MicroProfile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/microprofile/5VNyxjhHTbA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to microprofile...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CAMsYBfUJzF-f%2Bg--4GS-rR%3DUSSoRtgXUhjQRbSrv6jqtFyGo6Q%40mail.gmail.com.

--

Thanks
Emily

--
You received this message because you are subscribed to the Google Groups "MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CAECq3A_ct6CNDQCAq%2BF-pwS7m%2BkmJMzzmfUfQtTBiJfR3LfS3g%40mail.gmail.com.

[Ondro Mihályi]

Yes, Sergey is right.

For securityContext.getPrincipalsByType(JsonWebToken.class) to work, we need to have a specification that depends on both MP JWT and EE Security specs (SecurityContext comes from EE while JsonWebToken comes from MP). And that would be a new bridge spec, because we didn't find any other solution. The bridge spec would have to be in MicroProfile because I doubt that Jakarta EE can accept a spec that depends on MicroProfile specs.

Earlier I was proposing something different because I thought it would be simpler and cleaner until I realized there's a dependency on MicroProfile API. I'm sorry for confusion.

Ondro

[Emily Jiang]

The reason of starting a bridge spec is that it has a dependency on MP JWT instead of putting the dependency on Jakarta Security. The bridge spec could be in Jakarta or MP.

Thanks 

Emily 

Sent from my iPhone

On 27 May 2023, at 08:13, Ondro Mihályi <ondrej....@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/ffbafe00-cfd9-48fe-b54a-d199aec736b5n%40googlegroups.com.

[Emily Jiang]

A quick reminder on the interlock call of Jakarta Security and MP JWT in 30 minutes. Hopefully this will be the last call and we will create a Creation Plan next week. Please try your best to attend. Below are the joining details! Thank you! I have put all of the materials in the MicroProfile sandbox as promised in the last meeting.

Microprofile Meeting is inviting you to a scheduled Zoom meeting.

Join Zoom Meeting
https://eclipse.zoom.us/j/85366098724

Meeting ID: 853 6609 8724
Minutes here
---

One tap mobile
+17193594580,,85366098724# US
+12532050468,,85366098724# US

---

Dial by your location
• +1 719 359 4580 US
• +1 253 205 0468 US
• +1 253 215 8782 US (Tacoma)
• +1 301 715 8592 US (Washington DC)
• +1 305 224 1968 US
• +1 309 205 3325 US
• +1 312 626 6799 US (Chicago)
• +1 346 248 7799 US (Houston)
• +1 360 209 5623 US
• +1 386 347 5053 US
• +1 507 473 4847 US
• +1 564 217 2000 US
• +1 646 876 9923 US (New York)
• +1 646 931 3860 US
• +1 669 444 9171 US
• +1 669 900 6833 US (San Jose)
• +1 689 278 1000 US

Meeting ID: 853 6609 8724

Find your local number: https://eclipse.zoom.us/u/ke7E0lqJp

[Ondro Mihályi]

Hi Emily, nobody from OmniFish could make it today, I’m sorry.

Ondro

To unsubscribe from this topic, visit https://groups.google.com/d/topic/microprofile/KFL6a72bcSk/unsubscribe.

To unsubscribe from this group and all its topics, send an email to microprofile...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CAECq3A-%3DqWvZt94q8aLyZTDNHLwh06jQDjRJZ1pghx8Zq7UBnw%40mail.gmail.com.

[Emily Jiang]

Thanks for letting me know, Ondro! No worries. Here are the minutes. We are having a finalish call on 20th July to discuss the last-minute questions.

Thanks

Emily

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CACZTZYUHx%3D8jazeH_4XPMFL1ZoWjtoTBjftw%3Dnbx0r-7uw9jSQ%40mail.gmail.com.

--

Thanks
Emily

[Emily Jiang]

Tomorrow will be the final interlock call to finish off the last piece and provide a quick update on where we are at. Please make every effort to attend. Here are the minute, in which you can add any agenda items.

The meeting details can be found here.

Thanks

Emily

--

Thanks
Emily

[Emily Jiang]

Great news! The new repo jwtBridge has been created. The next step is to start contributing. Please join the MP JWT bi-weekly call from this week to collaborate. You can find the full details for the meeting here.

Thanks

Emily

--

Thanks
Emily

[Edward Burns]

Probably this is just me, but I found it useful to see the calendar in my own time zone.

 

Here is the link with the time zone set to USA EDT.

 

You can edit the value of the ctz query parameter accordingly.

 

Ed

 

| edb...@microsoft.com | office: +1 954 727 1095

| Calendar Booking: https://aka.ms/meetedburns

|

| Please don't feel obliged to read or reply to this e-mail outside

| of your normal working hours.

|

| Reply anonymously to this email: https://purl.oclc.org/NET/edburns/contact

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CAECq3A_VPcRutsBs16f5AYgysseDWiJ6WYfofSDEyXkEPuCYEA%40mail.gmail.com.

[Werner Keil]

Thanks, what is the default timezone?

I tried "ctz=Berlin" which seems to work and without any it also looks like it's using your default Browser/Computer timezone.

Is the interlock meeting in there already?

Werner 

[John Clingan]

I'm working with Siarhei on starting the call. Hopefully, anyone with the host code will be able to start it. If not, I'll start it as the admin.

[Sergey Beryozkin]

Thanks John for helping out today,

Emily, thanks for creating the new repository, can you please update MP JWT record in the calendar to link to the existing MP JWT notes:

https://docs.google.com/document/d/13nIVDJ6uxen7d57rxyARX8-vqsf3HTvC6hHnhitGZ0w/edit

There was a link to the new document which I created in my RedHat account but Jan explained you all agreed

to have MP JWT and Bridge/Interlock minutes covered by this existing doc.

It may also make sense to update the MP JWT calendar record to something like `MP JWT Spec and Bridge` to make it clearer

as it looks like that today not everyone was expecting the Bridge spec would be covered

Cheers Sergey

 

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/0eb88721-6bcd-4c24-8914-9a3166460f76n%40googlegroups.com.

[Emily Jiang]

Thank you Sergey! I saw the minutes link was added there. I have updated the meeting title based on your suggestion. Sorry, I was traveling last week so I could not attend the call.

Thanks

Emily

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CAMsYBfVeASgxwC3XBLPMny4%3DsjBOOnn8XoFb%2BQ1ZV%3Db-Bro7WA%40mail.gmail.com.

--

Thanks
Emily

[Sergey Beryozkin]

Thanks Emily

Sergey

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CAECq3A-guznebadTd818DJSAiqkXrvAL4SMsJu_-q%3D_OipZt_Q%40mail.gmail.com.

[Emily Jiang]

A gentle reminder on the bi-weekly call on JWT Bridge spec discussion. Please try your best to join and contribute.

You can find the full details for the meeting here.

Thanks

Emily

--

Thanks
Emily