Yeah! It sounds very good ;)
I'm full agree, let's move forward first on the OAuth2 support! thanks François Papon [email protected] Le 11/03/2019 à 18:39, Brian Demers a écrit : > For Bearer tokens (IMHO), we should treat it the same way we deal with > Basic auth. Create an AuthentcationToken based on the input, and let a > Realm implementation deal with it. > > For minting the actual token, we start getting into the OAuth2 IdP > territory (once you start thinking about, validating tokens, revocation, > etc). > I do think Shiro really really needs to add support for OAuth2 Resource > Servers and Authentication Code Flow. > > There is some overlap with JWT (for OIDC use cases), but I rather approach > them from the OAuth/OIDC point of view and make the JWT lib an > implementation detail. > > This does NOT cover all of the use cases where JWTs could be used, I'd just > like to see us think about feature first. > I'm not trying to kill the discussion either, I think this is a great topic > :) > > > On Sun, Mar 10, 2019 at 3:58 AM Francois Papon <[email protected]> > wrote: > >> Yes, that's it :) >> >> François Papon >> [email protected] >> >> Le 10/03/2019 à 10:49, Brian Demers a écrit : >>> The JWT as a Bearer token? Used with an Authorization header? >>> >>> -Brian >>> >>>> On Mar 10, 2019, at 12:00 AM, Francois Papon < >> [email protected]> wrote: >>>> Hi Brian, >>>> >>>> I'm thinking if it's possible to use JWT instead of cookie. >>>> >>>> I'm not sure that cookie is mandatory in api calls because an api can be >>>> call by a backend application or another api. >>>> >>>> François Papon >>>> [email protected] >>>> >>>>> Le 08/03/2019 à 18:40, Brian Demers a écrit : >>>>> Using a JWT as a auth token (bearer or otherwise) should be dependent >> on a >>>>> realm's implementation IMHO. >>>>> >>>>> Using a JWT as a session id direction is a different topic. In this >> case i >>>>> don't think it would provide any benefit (but i could be wrong or >> missing >>>>> something here) >>>>> The session id would be larger (more bits in the request/response >>>>> payloads), and on the server side you would still incur a session >> lookup >>>>> from storage. >>>>> Again, I might be misunderstanding your use-case. let me know >>>>> >>>>> >>>>> On Fri, Mar 8, 2019 at 1:23 AM Francois Papon < >> [email protected]> >>>>> wrote: >>>>> >>>>>> Yes, I'm agree about using the JWT for a remember me storage, >> especially >>>>>> for APIs in a distributed / cloud environment. >>>>>> >>>>>> For the session id, how can we match the JWT sent by the consumer with >>>>>> the session id? >>>>>> >>>>>> François Papon >>>>>> [email protected] >>>>>> >>>>>>> Le 07/03/2019 à 21:44, Brian Demers a écrit : >>>>>>> I would agree on the bearer token use cases, though that would >> likely be >>>>>>> dependent on a given realm (were to validate the bearer token) >>>>>>> >>>>>>> I'm not sure using a JWT as the session id would add much value. We >>>>>> would >>>>>>> still need to look up an existing session, so the session key would >> just >>>>>> be >>>>>>> bigger? >>>>>>> >>>>>>> I have been thinking about how we could use JWTs for a remember me >>>>>> storage, >>>>>>> which might be inline with what we are doing now. (just not sure if >> there >>>>>>> is a demand for it?) >>>>>>> >>>>>>> On Thu, Mar 7, 2019 at 12:10 PM Francois Papon < >>>>>> [email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> I think that the session cache manager is a very nice feature in >> Shiro >>>>>>>> and I was thinking about using the compact representation of JWT as >> the >>>>>>>> session id in the cache manager. >>>>>>>> >>>>>>>> This could be very usefull because we just have to decrypt the JWT >> on >>>>>>>> login and store the user profil in the cache manager. >>>>>>>> >>>>>>>> So after that, the calls will be only check in the cache without >> need to >>>>>>>> uncrypt the JWT. The session validate could also be managed by the >>>>>>>> session scheduler. >>>>>>>> >>>>>>>> I think it make sense for api calls for api gateway security >> policies >>>>>>>> for example. >>>>>>>> >>>>>>>> regards, >>>>>>>> >>>>>>>> François Papon >>>>>>>> [email protected] >>>>>>>> >>>>>>>>> Le 07/03/2019 à 00:15, Brian Demers a écrit : >>>>>>>>> What use cases are you thinking about targeting ? >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon < >>>>>>>> [email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi guys, >>>>>>>>>> >>>>>>>>>> I would like to start a thread about JWT. >>>>>>>>>> >>>>>>>>>> We already have a shiro-jaxrs module and I think it would be nice >> for >>>>>>>>>> Shiro to be able to use JWT. >>>>>>>>>> >>>>>>>>>> There is some existing implementations (Apache CXF JOSE, Apache >>>>>> Geronimo >>>>>>>>>> microprofile...) and for me it make sence to have an >> implementation of >>>>>>>>>> JWT in Shiro. >>>>>>>>>> >>>>>>>>>> Thoughts? >>>>>>>>>> >>>>>>>>>> regards, >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> François Papon >>>>>>>>>> [email protected] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>
