sst...@redhat.com
Aug 4, 14:00 GMT
https://bluejeans.com/2363391609
https://docs.google.com/document/d/13nIVDJ6uxen7d57rxyARX8-vqsf3HTvC6hHnhitGZ0w/edit#
Agenda:
Discuss open issues
Issues with outstanding pull requests:
Issues with comments:
Discuss open pull requests
https://github.com/eclipse/microprofile-jwt-auth/pull/11
Discuss current TCK status
sst...@redhat.com
The notes for today's meeting have been updated, here is the summary:
Attendees:
Scott Stark,
Michael Chen,
Chunlong Liang,
David Belvins
Caesar
We had a long discussion around the need for both the “roles” and “groups” token claims. The main agreement was there really was no need for two sets of claims as most containers supported a one-to-one mapping from a IDP group to an application role, and the less specific the name of the grant the more likely it could be used across applications. We decided we needed to enumerate the usecases better in the spec and back this up with unit tests illustrating the associated container API mappings. Population of the javax.security.auth.Subject was mentioned as something needing more definition.
We had a discussion about what should be in the TCK and to issue #6, reliance on Keycloak dependencies. David pointed out a more neutral Nimbus JOSE + JWT that could be used to address this, and Scott agreed to switch to it for the current token generation requirement. This group was not opposed to having vendor profiles in the TCK, but we will continue the discussion on Tuesday’s full MP hangout call.
There was a question on consistency raised regarding the JWTPrincipal#getAudience() accessor method that is returning a String[] rather than a Set<String> as the roles and groups accessors do. Scott said that he agreed it should be changed to a Set<String>.