MP-JWT Roadmap call this Fri 1/19/2018 7:00 AM PDT, 3:00 PM GMT

[Scott Stark]

Kickoff meeting for discussing what we should add to MP-JWT for a 2.0 release that aligns with the MicroProfile 2.0 release. Also discuss if there is interest in an MP-JWT 1.1 release.

I'll flesh out the agenda in the next 24 hours, but basically we will hit on some left over 1.0 issues like a client factory api for JsonWebToken, issues with validation failures throwing CDI exceptions,

and some questions/issues raised by Arjan.

For 2.0, what new features and alignment with the EE 8 specs are desired.

To join the Meeting:

https://bluejeans.com/2363391609

Meeting notes + additional agenda items.

https://docs.google.com/document/d/13nIVDJ6uxen7d57rxyARX8-vqsf3HTvC6hHnhitGZ0w/edit?usp=sharing

[Emily Jiang]

Hi Scott,

Can you put a calendar entry for the MP JWT meeting? Is it weekly?

Thanks
Emily

[Kevin Sutter]

Scott,
Based on the discussion the MicroProfile 2.0 thread, it doesn't look like the community is driven for a MicroProfile 2.0 release in 1Q.  If this discussion is in prep for 2Q, then you are just way ahead of the game...  :-)
https://groups.google.com/forum/#!topic/microprofile/9hjTySQDutA

-- Kevin

[Arjan Tijms]

Hi,

Good to see the discussion kicking off. Not sure if I'll be able to attend, but I'll try.

One additional point for discussion might be pre-emptive authentication, i.e. when the caller sends a JWT token to a non-protected resource. The system can easily authenticate the caller as well then, but the spec seems to be written (and the TCK only tests for) the case when a protected resource is accessed.

Kind regards,

Arjan Tijms

On Thursday, January 18, 2018 at 5:05:35 AM UTC, Scott Stark wrote:

[Kevin Sutter]

Scott,
I have the same conflict as Emily in this timeslot, so your IBM participation may be light...  Just an FYI.

Thanks, Kevin

[Chunlong Liang]

1. In addition to the current support for sending JWT in Authorization header, we should allow send JWT as cookie which is common in SPA like Angular, see
https://blog.angular-university.io/angular-jwt-authentication/
Want to see if we can define a common cookie name for MicroProfile interoperability

2. Support encrypted JWT, as recommended by OIDC, see http://openid.net/specs/openid-connect-core-1_0.html#Encryption
Wanat to see if we could further define a set of minimum supported algorithms

--
You received this message because you are subscribed to a topic in the Google Groups "Eclipse MicroProfile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/microprofile/kqnjz6tykmc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to microprofile+unsubscribe@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/39d5c65f-acfb-4eff-9fb3-344120262928%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Scott Stark]

Chunlong and I discussed the agenda items and I have categorized the current issues and added new ones for the 1.1 and 2.0 milestones. The 1.1 milestone would look to align with the MP 1.4 milestone while 2.0 would align with MP 2.0 milestone.

[Rudy De Busscher]

Sorry for the late response, but these are my ideas.

1. Some kind of builder to create the JWT token.

2. Integration with Rest client, Probably need to define how the JWT can be derived from the 'current context' and thus related with 1. (see also https://github.com/eclipse/microprofile-rest-client/issues/16)

regards

Rudy