Skip to first unread message
Scott Stark
May 31, 2018, 12:52:00 PM5/31/18
to Eclipse MicroProfile
We need input on whether we move forward with the iss claim validation compromise as described in the current 1.1-RC2 release candidate, or whether we are basically delaying the release until some future MP umbrella release. The discussion on today's MP-JWT call was around our options, and rolling back to the 1.1-RC1 behavior of allowing the token to dictate the iss claim validation was felt to be a relaxation of previous behavior that was undesirable.
David Blevins
May 31, 2018, 3:18:19 PM5/31/18
to microp...@googlegroups.com
Sent a note in the draft thread. I'm fine moving forward with requiring `mp.jwt.verify.issuer` if others are 100% confident. I'm perhaps 30% confident as I see other options. I'm 5% confident on `mp.jwt.verify.requireiss` and would prefer we leave that out for 1.1 so we can carefully consider what it means to require claims and how we want to express that.
On May 31, 2018, at 7:52 PM, Scott Stark <sst...@redhat.com> wrote:
We need input on whether we move forward with the iss claim validation compromise as described in the current 1.1-RC2 release candidate, or whether we are basically delaying the release until some future MP umbrella release. The discussion on today's MP-JWT call was around our options, and rolling back to the 1.1-RC1 behavior of allowing the token to dictate the iss claim validation was felt to be a relaxation of previous behavior that was undesirable.
--
You received this message because you are subscribed to the Google Groups "Eclipse MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile...@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/80cd619e-f387-4166-be8b-e27fd2390739%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jean-Louis Monteiro
May 31, 2018, 3:28:42 PM5/31/18
to MicroProfile
Sounds reasonable to me.
iss was already required in 1.0 so we don't change or break anything.
The ability to relax this constraints is something we would need to introduce but we can wait until the next release.
We have also some key configuration things to thing about and I'd like also some mapping capabilities.
So it's probably safe to address the whole configuration at once so we get a better chance to be consistent.
JLouis
On Thu, May 31, 2018 at 3:18 PM, David Blevins <dble...@tomitribe.com> wrote:
Sent a note in the draft thread. I'm fine moving forward with requiring `mp.jwt.verify.issuer` if others are 100% confident. I'm perhaps 30% confident as I see other options. I'm 5% confident on `mp.jwt.verify.requireiss` and would prefer we leave that out for 1.1 so we can carefully consider what it means to require claims and how we want to express that.
On May 31, 2018, at 7:52 PM, Scott Stark <sst...@redhat.com> wrote:
We need input on whether we move forward with the iss claim validation compromise as described in the current 1.1-RC2 release candidate, or whether we are basically delaying the release until some future MP umbrella release. The discussion on today's MP-JWT call was around our options, and rolling back to the 1.1-RC1 behavior of allowing the token to dictate the iss claim validation was felt to be a relaxation of previous behavior that was undesirable.--
You received this message because you are subscribed to the Google Groups "Eclipse MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile+unsubscribe@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/80cd619e-f387-4166-be8b-e27fd2390739%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Eclipse MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/3BCA8804-A513-4386-84D4-242A3D152D15%40tomitribe.com.
Scott Stark
May 31, 2018, 3:39:00 PM5/31/18
to Eclipse MicroProfile
So your proposal is that we do add the `mp.jwt.verify.issuer` config property, and require that for validation, don't add the `mp.jwt.verify.requireiss` config property now, which leaves any option to disable iss validation vendor specific in this release, and we revisit defining an ability to enable/disable validation at a later time?
Jean-Louis Monteiro
May 31, 2018, 3:40:49 PM5/31/18
to MicroProfile
Yes that's my understanding too
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile+unsubscribe@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/9e716e52-bceb-47ce-b2ee-b43a3b53310b%40googlegroups.com.
David Blevins
May 31, 2018, 3:50:03 PM5/31/18
to MicroProfile
Correct. And for posterity, the preference is to not specify `mp.jwt.verify.issuer` just yet, but given the state of the conversations and release timing, I'm fine to concede it. At least if we leave out `mp.jwt.verify.requireiss` there's less to potentially deprecate.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/9e716e52-bceb-47ce-b2ee-b43a3b53310b%40googlegroups.com.
Chunlong Liang
May 31, 2018, 5:33:26 PM5/31/18
to Eclipse MicroProfile
Agree with this proposal "add the `mp.jwt.verify.issuer` config property, and require that for validation, don't add the `mp.jwt.verify.requireiss` config property now".
Reply all
Reply to author
Forward
0 new messages