Hi Sergey, I think I have understood what you mean, so the JWT has nothing to do with the OAuth flows.
In my case though, when a client server needs access to my API, he does so with the access token obtained via the client credentials grant. Each token (default bearer type) has registered scopes which govern the parts of the API the client can access. According to the documentation, its the OAuthRequestFilter and OAuthScopesFilter that make this restriction happen. I am using the @Scopes annotation my controllers. Now, the Client can also make requests with a JWT(issued by the client's server). The client signs the JWT with their client secret and sends me (API server) the JWT along with the client id (so that I can verify it with the corresponding secret). The JWT claims has a list of scopes along with some other identification info. This is where I need some sort of convergence between the 2 flows. Once I have the scopes, I want to process them in such a way that I use the scopes in the access token (via client credentials). So, for this to happen, I think I would need some sort of modification in my OAuthRequestFilter, which would also accept JWT tokens, validate them and extract the scopes. Then, it should work seamlessly work with the OAuthScopesFilter. I hope you understood what I mean. I am very new to this, so would be great if you could just point me in the right direction. I am thinking of implementing a custom Filter to replace the OAuthRequestFilter, but I am not too sure on how to proceed. Thanks and Regards, Rajan -- View this message in context: http://cxf.547215.n5.nabble.com/Support-both-Bearer-and-JWT-tokens-tp5766050p5766172.html Sent from the cxf-user mailing list archive at Nabble.com.
