I've done an initial commit, the code is raw, I committed to avoid
losing it :-) and to make it in time for a 3.0.1 branching.
As I said I've thought a lot about what level of support to offer.
It probably does not make sense to compete with Jose.4.J which offers a
comprehensive enough Object Oriented JOSE suport. Apache Oltu also offer
the support and RestEasy too (Bill and his team always do it first :-)).
In the end I thought of offering something simple enough such that
people can do the signatures and encryptions whichever way they want but
also offering some utility code for the main-stream algorithms OOB.
If people want to use Jose4J or Apache Oltu with CXF then we will simply
document that it is a matter of registering custom OAuth2 handlers.
I did not go for a builder style, I wanted JWT claims & headers
read/written with providers like Jackson or Jettison etc if preferred.
More refactoring will be going in, plus support for JAX-RS providers
supporting JSON encryption & validation which goes beyond a pure OAuth2
related support.
Eventually I will document it too :-)
Cheers, Sergey
On 02/05/14 13:23, Sergey Beryozkin wrote:
Hi
I've been experimenting for the last couple of months, whenever I get a
chance, with having Json Web Token (JWT) supported as part of CXF OAuth2
flows.
The immediate goal is to support JWT Bearer assertions as grants or
authentication credentials at AccessTokenService level OOB (see more
below about it) with the longer term goal of plugging in into the
OpenId-Connect flows.
I've played with Apache Oltu, and could not resist writing something of
my own of course :-) and checked few other resources. I have to admit
right now that jose4j [1] appears to be the most complete framework
already available, as far as the support for singing and encrypting JSON
payloads is concerned, not in Maven Central just yet and restricted to
Java 7 but it is worth watching.
Note, users can easily plugin custom AccessTokenGrant handlers into CXF
AccessTokenService and use jose4j right now. The question is what level
of support CXF can offer OOB with respect to supporting JWT Bearer
assertion (grants) and also, how can CXF can adapt a given plain JWT
representation into CXF ServerAccessToken representations should a user
wish to use JWT representations as access tokens which is an orthogonal
task.
As such jose4j won't offer a solution on its own, it has a rich API
specifically around encrypting and signing.
I'm going to keep experimenting for a while. I will probably come up
with some kind of JWT API that will let users plugin or use Jose4j, not
sure right now yet...
I should say that IMHO the JOSE effort can still be considered as a very
new approach, it is being utilized already around but a number of good
alternative solutions exist right now, if we talk about SSO + OAuth2, it
can be SAML Assertion grants.
That said, ignoring JOSE is not an option given that it is obviously
going to affect OAuth2 a lot...
Sergey
[1] https://bitbucket.org/b_c/jose4j/wiki/Home
