jacopoc opened a new pull request, #918: URL: https://github.com/apache/ofbiz-framework/pull/918
Implemented: JWT validation for tokens issued by an external authentication server. The system now supports two token validation modes: 1) External authentication server (JWK-based): if an issuer is configured in the "security.token.issuer" property, the token is verified using a JWK provider and the issuer's public key used to sign the token. 2) Local HMAC verification: If no issuer is configured, the token is verified locally using an HMAC key derived from the secret key configured in the "security.token.key" (and optionally a salt). This is the legacy mode whose behavior is not affected by this change. With the default configuration, this is the method used by OFBiz for token verification. Change access modifiers and method signatures for token validation methods to allow upcoming implementation for external JWT validation. Thanks: Anahita Goljahani for the analysis and research about OAuth 2.0/OpenID Connect providers and for the tests with Keycloak and its deployment and configuration. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
