[
https://issues.redhat.com/browse/WFWIP-293?page=com.atlassian.jira.plugin...
]
Darran Lofthouse commented on WFWIP-293:
----------------------------------------
[~jkasik] I think this one needs to be rejected, after investigating this one and
attempting to implement a fix there is clearly come ambiguity within the specification
that needs to be clarified. Most importantly this behaviour is within SmallRye JWT which
is already being used within both Thorntail and Quarkus.
After attempting to make the complete set of required claims (Except "upn" which
has a defined fallback strategy) firstly the SmallRye JWT testsuite fails due to missing
claims (if that was the only failure obviously the correct step would be to fix those
tests) - I then execute the MicroProfile JWT TCK with the change and the majority of the
tests subsequently fail so even the TCK is not sending in the "required" set of
claims.
At this stage I don't think it is a good strategy to make this complete set required,
JWT token authentication is very much about interoperability so releasing a strict
implementation I believe will cause more problems than it solves.
The following issue actually already exists against the specification: -
https://github.com/eclipse/microprofile-jwt-auth/issues/128
Also the following issue is questioning the "required" status of the groups
claim: -
https://github.com/eclipse/microprofile-jwt-auth/issues/129
So instead of an immediate code change I am going to see if we can kick start some
discussions to evolve the JWT specification and hopefully in the not too distant future
have a spec with clarifications applied.
Current implementation of MP-JWT doesn't require claims which
should be required
--------------------------------------------------------------------------------
Key: WFWIP-293
URL:
https://issues.redhat.com/browse/WFWIP-293
Project: WildFly WIP
Issue Type: Bug
Components: MP JWT
Reporter: Jan Kasik
Assignee: Darran Lofthouse
Priority: Critical
Chapter 4.1 of MP-JWT 1.1 recommends minimal set of JWT claims which should be required.
Current implementation doesn't check for following claims and returns 200/OK if they
are missing:
* {{upn}}
* {{jti}}
* {{groups}}
* {{iat}}
* {{sub}}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)