MP JWT to produce Json Web Token

[Emily-Jiang]

At the moment, different vendors choose different ways to produce Json Web Tokens,. It does not help with app's portability (contradicts with MP's portability mission). Should we define a common way to generate Json Web Token and maybe make MP as a token issuer?

[Emily-Jiang]

Talked this on today's hangout. MP JWT can create a factory to abstract the Token creation layer and then microservice developer can just call the factory to get a JSON web token. This is a great abstract layer to hide the internal differences among different vendors to make microservices portable.

[sberyozkin]

Hi, but tokens are issued by the authorization servers ?

[hrstoyanov]

I do need to create token out of an httt request, see OpenLiberty/open-liberty#6087

[sberyozkin]

@hrstoyanov but it is not about issuing the tokens. The token is either available in the HTTP request or not, if yes - it was either issued by the OIDC provider or self-issued by the client. I'd say your issue is more related to #120.
For ex, issuing the tokens (access, id or refresh tokens), managing them as part of various SSO flows, etc, is all a complex process, which is not something MP JWT should get into IMHO

[sberyozkin]

Though having a builder style API for generating the self-issued tokens as I believe implied by @Emily-Jiang may be a nice enhancement. I might give it a go and do a PR a bit later on

[sberyozkin]

A bit of a challenge there is that JsonWebToken is, in case of MP JWT, an instance of JWS, and may also become an instance of JWE. That said this would be API should be as simple as possible, as opposed to becoming a complete JOSE builder API...have claim setters plus either the signing or encrypting (keys)

[hrstoyanov]

@sberyozkin
The question is why can't we do:

@Inject
Optional<JsonWebToken> token;

because the presence of JWT is optional in the request headers.

We can inject Optional config properties with MP-CONFIG, so why not the same for JWT?

[sberyozkin]

@hrstoyanov I'm not disagreeing with you :-), just saying IMHO this is not relevant to this specific issue

[hrstoyanov]

@sberyozkin
Sorry then. I do remember filing #120 , not sure when it will be included int he MP JWT specs

[sberyozkin]

Hi All
I've started working on the API which I'm hoping to make available for the discussion and the team review in January 2020. Thanks.

[sberyozkin]

It is in progress. Note both signing and encrypting the tokens will be part of the PR

[sberyozkin]

I've asked our users to stress a bit the smallrye-jwt API, I'll start preparing a PR for MP JWT for the colleagues to review

[sberyozkin]

Hi Emily @Emily-Jiang, basically the API I'll be submitting is structured around your idea, thank you :-). I hope it will be accepted well. It is not going as far as making MP JWT a fully fledged issuer as it will move it into a possibly out of scope territory. But what we can do is that when no issuer claim is set by the user code, then the builder will default to something like http://..../mpjwt, something like that.
Please give me few weeks and the PR will be available, cheers

[Emily-Jiang]

Thank you @sberyozkin for your update! I'm looking forward to seeing the PR!

[sberyozkin]

I'll be working soon on repackaging and documenting the design goals of this API and SPI code, https://github.com/smallrye/smallrye-jwt/tree/master/implementation/src/main/java/io/smallrye/jwt/build.
I appreciate we may decide to change few things in MP JWT, IMHO the linked code offers a very complete JWT generation API while also simple enough to implement with any good Jose library.
The main goals in short:

• be compact
• have a priority support for the mainstream sign case
• no mix up of setting the claims with the actual JWS or JWE sequence creation (the flow should be - set the claims, move to setting the headers but only if needed and finally sign or encrypt or inner-sign/nested JWT + encrypt)
• claim setters should cover what MP JWT JsonWebToken typed getters provide
• interoperate with any valid JWT consumer server (not tied in to the MP JWT servers only hence a richer algorithm enum support but with an absolute minimum of which ones are required to be supported).
  Thanks

[asterisk360-admin]

Hello, @sberyozkin, how can i help you to test this api?

[sberyozkin]

Hi All, please see #149.
I'll follow up with some description tomorrow.
Will also follow up with a few basic TCK tests to start with nnce we are happy with it.
Thanks