For Bearer tokens (IMHO), we should treat it the same way we deal with Basic auth. Create an AuthentcationToken based on the input, and let a Realm implementation deal with it.
For minting the actual token, we start getting into the OAuth2 IdP territory (once you start thinking about, validating tokens, revocation, etc). I do think Shiro really really needs to add support for OAuth2 Resource Servers and Authentication Code Flow. There is some overlap with JWT (for OIDC use cases), but I rather approach them from the OAuth/OIDC point of view and make the JWT lib an implementation detail. This does NOT cover all of the use cases where JWTs could be used, I'd just like to see us think about feature first. I'm not trying to kill the discussion either, I think this is a great topic :) On Sun, Mar 10, 2019 at 3:58 AM Francois Papon <[email protected]> wrote: > Yes, that's it :) > > François Papon > [email protected] > > Le 10/03/2019 à 10:49, Brian Demers a écrit : > > The JWT as a Bearer token? Used with an Authorization header? > > > > -Brian > > > >> On Mar 10, 2019, at 12:00 AM, Francois Papon < > [email protected]> wrote: > >> > >> Hi Brian, > >> > >> I'm thinking if it's possible to use JWT instead of cookie. > >> > >> I'm not sure that cookie is mandatory in api calls because an api can be > >> call by a backend application or another api. > >> > >> François Papon > >> [email protected] > >> > >>> Le 08/03/2019 à 18:40, Brian Demers a écrit : > >>> Using a JWT as a auth token (bearer or otherwise) should be dependent > on a > >>> realm's implementation IMHO. > >>> > >>> Using a JWT as a session id direction is a different topic. In this > case i > >>> don't think it would provide any benefit (but i could be wrong or > missing > >>> something here) > >>> The session id would be larger (more bits in the request/response > >>> payloads), and on the server side you would still incur a session > lookup > >>> from storage. > >>> Again, I might be misunderstanding your use-case. let me know > >>> > >>> > >>> On Fri, Mar 8, 2019 at 1:23 AM Francois Papon < > [email protected]> > >>> wrote: > >>> > >>>> Yes, I'm agree about using the JWT for a remember me storage, > especially > >>>> for APIs in a distributed / cloud environment. > >>>> > >>>> For the session id, how can we match the JWT sent by the consumer with > >>>> the session id? > >>>> > >>>> François Papon > >>>> [email protected] > >>>> > >>>>> Le 07/03/2019 à 21:44, Brian Demers a écrit : > >>>>> I would agree on the bearer token use cases, though that would > likely be > >>>>> dependent on a given realm (were to validate the bearer token) > >>>>> > >>>>> I'm not sure using a JWT as the session id would add much value. We > >>>> would > >>>>> still need to look up an existing session, so the session key would > just > >>>> be > >>>>> bigger? > >>>>> > >>>>> I have been thinking about how we could use JWTs for a remember me > >>>> storage, > >>>>> which might be inline with what we are doing now. (just not sure if > there > >>>>> is a demand for it?) > >>>>> > >>>>> On Thu, Mar 7, 2019 at 12:10 PM Francois Papon < > >>>> [email protected]> > >>>>> wrote: > >>>>> > >>>>>> I think that the session cache manager is a very nice feature in > Shiro > >>>>>> and I was thinking about using the compact representation of JWT as > the > >>>>>> session id in the cache manager. > >>>>>> > >>>>>> This could be very usefull because we just have to decrypt the JWT > on > >>>>>> login and store the user profil in the cache manager. > >>>>>> > >>>>>> So after that, the calls will be only check in the cache without > need to > >>>>>> uncrypt the JWT. The session validate could also be managed by the > >>>>>> session scheduler. > >>>>>> > >>>>>> I think it make sense for api calls for api gateway security > policies > >>>>>> for example. > >>>>>> > >>>>>> regards, > >>>>>> > >>>>>> François Papon > >>>>>> [email protected] > >>>>>> > >>>>>>> Le 07/03/2019 à 00:15, Brian Demers a écrit : > >>>>>>> What use cases are you thinking about targeting ? > >>>>>>> > >>>>>>> > >>>>>>> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon < > >>>>>> [email protected]> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> Hi guys, > >>>>>>>> > >>>>>>>> I would like to start a thread about JWT. > >>>>>>>> > >>>>>>>> We already have a shiro-jaxrs module and I think it would be nice > for > >>>>>>>> Shiro to be able to use JWT. > >>>>>>>> > >>>>>>>> There is some existing implementations (Apache CXF JOSE, Apache > >>>> Geronimo > >>>>>>>> microprofile...) and for me it make sence to have an > implementation of > >>>>>>>> JWT in Shiro. > >>>>>>>> > >>>>>>>> Thoughts? > >>>>>>>> > >>>>>>>> regards, > >>>>>>>> > >>>>>>>> -- > >>>>>>>> François Papon > >>>>>>>> [email protected] > >>>>>>>> > >>>>>>>> > >>>>>>>> >
