That is a strange API design for getting the JWT as the id_token. getParam is so vague - I was trying to see whether it was because it is dependent on the requested grant_type or something in which case it would depend on the expected grant_type what gets returned from getParam.
I'll have to dig into the code at some point. The other curious thing to me is whether this is a very Google specific interaction. Will an Oltu federation provider require enough configuration fidelity to accommodate Google vs CloudFoundry UAA, etc? Perhaps config params for the provider that indicate the relevant switches - like grant_type sort of things is all we will need to morph from one to another? On Mon, May 19, 2014 at 9:11 AM, larry mccay <[email protected]> wrote: > Yeah, those details aren't clear - sort of what happens when you describe > using a solution rather than the spec, I think. > The JWT is signed and/or encrypted - that is basically how it is verified. > > > On Mon, May 19, 2014 at 8:38 AM, Kevin Minder < > [email protected]> wrote: > >> Good article. >> >> However in step "6. Authenticate the user", I fail to see how the >> authenticity of the JWT is verified. Is that just omitted to simplify the >> example? >> >> Also in step "5. Obtain user information from the ID token", I assume >> that this code extracts the Bearer JWT from the OAuth reponse? >> | >> String idToken= oAuthResponse.getParam(||"id_token"||); >> >> |Is the content of idToken the same exact value that would be presented >> in the Authorization header of the subsequent request? >> >> >> On 5/17/14 3:43 PM, larry mccay wrote: >> >>> Here is a good article on using Oltu in JAX-RS to authenticate a google >>> user and acquire user profile information: >>> >>> http://carminedimascio.com/2014/02/google-oauth2-and-jax-rs/ >>> >>> Note the use of JWT as well. >>> >>> >> >> -- >> CONFIDENTIALITY NOTICE >> NOTICE: This message is intended for the use of the individual or entity >> to which it is addressed and may contain information that is confidential, >> privileged and exempt from disclosure under applicable law. If the reader >> of this message is not the intended recipient, you are hereby notified that >> any printing, copying, dissemination, distribution, disclosure or >> forwarding of this communication is strictly prohibited. If you have >> received this communication in error, please contact the sender immediately >> and delete it from your system. Thank You. >> > >
