[keycloak-user] JWT discussion on microprofile.io list

[Scott Stark]

Hey guys, can someone who is going to be involved with the JSR 375: JavaTM EE Security API effort comment on the use of the JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519 as a means of propagating an authenticated subject and workflow roles. 

There is a discussion about this that is in early stages over on the Microprofile.io google group:
https://groups.google.com/forum/#!topic/microprofile/gakCq7kSBsY

The last comment I made that you could critique was:

"
I think the minimum starting use case is that a user has a workflow that involves 2 or more micro services. They are using an IdP to produce a JWT that has a subject and workflow associated roles.

What they need is the ability to configure the micro services to:
1. accept that JWT is valid. This goes to defining acceptable signatures and encryption. A default implementation of a javax.security.auth.message.module.ServerAuthModule that illustrates this would be needed for a compatibility test.
2. Some security configuration definition that allows for the mapping of the subject and workflow roles into the security domains of the containers hosting the micro services.

It seems like the aud(iences) field of the token could be used for the purpose of the roles:
aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
"