arthurchan35 commented on code in PR #990:
URL: https://github.com/apache/cxf/pull/990#discussion_r967792936
##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java:
##########
@@ -646,7 +647,12 @@ protected String processJwtAccessToken(JwtClaims
jwtCliams) {
// It will JWS-sign (default) and/or JWE-encrypt
OAuthJoseJwtProducer processor =
getJwtAccessTokenProducer() == null ? new OAuthJoseJwtProducer() :
getJwtAccessTokenProducer();
- return processor.processJwt(new JwtToken(jwtCliams));
+
+ JwsHeaders jwsHeaders = new JwsHeaders();
Review Comment:
Hi @reta, thanks for the review!
According to RFC 9068 sections 2.1 and section 4, a JWT access token must
be signed, **optionally** encrypted. As I interpret the comment, it means the
same thing as specs required?
Regarding JoseType and JoseConstants, I will look into them bit more.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
