Scott Stark
https://docs.google.com/document/d/13nIVDJ6uxen7d57rxyARX8-vqsf3HTvC6hHnhitGZ0w/edit#heading=h.e1kx4qd247n
Attendees: Scott, David, Jean-Louis
Agenda:
Review updates on configuration, cookies, spec:
microprofile-jwt-auth-spec-1-1-snapshot.pdf:
https://drive.google.com/open?id=1EtUArnXcLVF_pxR9w0x6T19RZjSVW1Eg
microprofile-jwt-auth-spec-1-1-diff.pdf:
https://drive.google.com/open?id=1qvq8-WB2RR48x6UYgUwUn1gUjvN7HmBv
Discussions:
@RolesAllowed, @DenyAll, @PermitAll support. There was concern that the JWT spec is the right level to address this, and while true, we don’t have anywhere else to deal with this in MicroProfile at the moment. Suggestion was that we can only mention some of the potential issues and wait until MicroProfile 2.0 / Jakarta EE X to properly deal with this.
Is the the clockSkew really standard across the libraries. In Nimbus for instance it is not. Need to look at the verifier interface for a few of the popular JWT libraries to understand what should be surfaced as configuration.
PEM, JWK and JWKS as supported formats was discussed. It seems clear that we need to keep the embedded PEM format as it is widely supported and a non-trivial requirement to have to provide an endpoint that sources JWK/JWKS.
Action Items:
Scott will go through some of the popular JWT libraries to validate what token verification information is commonly supported to understand what should be made part of the MP-JWT spec.
Need to enumerate the key source usecases we must support in this release.
Jean-Louis Monteiro
Ladislav Thon
@RolesAllowed, @DenyAll, @PermitAll support. There was concern that the JWT spec is the right level to address this, and while true, we don’t have anywhere else to deal with this in MicroProfile at the moment. Suggestion was that we can only mention some of the potential issues and wait until MicroProfile 2.0 / Jakarta EE X to properly deal with this.