Hey guys, can someone who is going to be involved with the JSR 375: JavaTM EE Security API
effort comment on the use of the JSON Web Token (JWT)
https://tools.ietf.org/html/rfc7519
as a means of propagating an authenticated subject and workflow roles.
There is a discussion about this that is in early stages over on the Microprofile.io
google group:
https://groups.google.com/forum/#!topic/microprofile/gakCq7kSBsY
The last comment I made that you could critique was:
"
I think the minimum starting use case is that a user has a workflow that involves 2 or
more micro services. They are using an IdP to produce a JWT that has a subject and
workflow associated roles.
What they need is the ability to configure the micro services to:
1. accept that JWT is valid. This goes to defining acceptable signatures and encryption. A
default implementation of a javax.security.auth.message.module.ServerAuthModule that
illustrates this would be needed for a compatibility test.
2. Some security configuration definition that allows for the mapping of the subject and
workflow roles into the security domains of the containers hosting the micro services.
It seems like the aud(iences) field of the token could be used for the purpose of the
roles:
aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0
client_id of the Relying Party as an audience value. It MAY also contain identifiers for
other audiences. In the general case, the aud value is an array of case sensitive strings.
In the common special case when there is one audience, the aud value MAY be a single case
sensitive string.
"