I would agree on the bearer token use cases, though that would likely be dependent on a given realm (were to validate the bearer token)
I'm not sure using a JWT as the session id would add much value. We would still need to look up an existing session, so the session key would just be bigger? I have been thinking about how we could use JWTs for a remember me storage, which might be inline with what we are doing now. (just not sure if there is a demand for it?) On Thu, Mar 7, 2019 at 12:10 PM Francois Papon <[email protected]> wrote: > I think that the session cache manager is a very nice feature in Shiro > and I was thinking about using the compact representation of JWT as the > session id in the cache manager. > > This could be very usefull because we just have to decrypt the JWT on > login and store the user profil in the cache manager. > > So after that, the calls will be only check in the cache without need to > uncrypt the JWT. The session validate could also be managed by the > session scheduler. > > I think it make sense for api calls for api gateway security policies > for example. > > regards, > > François Papon > [email protected] > > Le 07/03/2019 à 00:15, Brian Demers a écrit : > > What use cases are you thinking about targeting ? > > > > > > On Wed, Mar 6, 2019 at 1:33 PM Francois Papon < > [email protected]> > > wrote: > > > >> Hi guys, > >> > >> I would like to start a thread about JWT. > >> > >> We already have a shiro-jaxrs module and I think it would be nice for > >> Shiro to be able to use JWT. > >> > >> There is some existing implementations (Apache CXF JOSE, Apache Geronimo > >> microprofile...) and for me it make sence to have an implementation of > >> JWT in Shiro. > >> > >> Thoughts? > >> > >> regards, > >> > >> -- > >> François Papon > >> [email protected] > >> > >> > >> > >
