Hi
I've been experimenting for the last couple of months, whenever I get a
chance, with having Json Web Token (JWT) supported as part of CXF OAuth2
flows.
The immediate goal is to support JWT Bearer assertions as grants or
authentication credentials at AccessTokenService level OOB (see more
below about it) with the longer term goal of plugging in into the
OpenId-Connect flows.
I've played with Apache Oltu, and could not resist writing something of
my own of course :-) and checked few other resources. I have to admit
right now that jose4j [1] appears to be the most complete framework
already available, as far as the support for singing and encrypting JSON
payloads is concerned, not in Maven Central just yet and restricted to
Java 7 but it is worth watching.
Note, users can easily plugin custom AccessTokenGrant handlers into CXF
AccessTokenService and use jose4j right now. The question is what level
of support CXF can offer OOB with respect to supporting JWT Bearer
assertion (grants) and also, how can CXF can adapt a given plain JWT
representation into CXF ServerAccessToken representations should a user
wish to use JWT representations as access tokens which is an orthogonal
task.
As such jose4j won't offer a solution on its own, it has a rich API
specifically around encrypting and signing.
I'm going to keep experimenting for a while. I will probably come up
with some kind of JWT API that will let users plugin or use Jose4j, not
sure right now yet...
I should say that IMHO the JOSE effort can still be considered as a very
new approach, it is being utilized already around but a number of good
alternative solutions exist right now, if we talk about SSO + OAuth2, it
can be SAML Assertion grants.
That said, ignoring JOSE is not an option given that it is obviously
going to affect OAuth2 a lot...
Sergey
[1] https://bitbucket.org/b_c/jose4j/wiki/Home
