Re: [jakartaee-platform-dev] Moving MicroProfile JWT to Jakarta Security

[Romain Manni-Bucau <rmannibucau@xxxxxxxxx>]

Hi,

I think that, as requiring jaspic for microprofile would be bad - servlet is implicitly required anyway by MP is read carefully, requiring jaxrs for servlet - mp - would be as bad.

At the end, JWT support is just about having a bean able to read/validate a jwt and provide a model user can rely on to validate its business - @RoleAllowed support got proven not good enough and users tend to redo their own interceptors anyway IMHO.

So think providing a spec more designed as a lib would be beneficial to the ecosystem*s* and would stay portable accross stacks and profiles, anything else seems like adding yet another security lib which would probably get the same level of adoption than exsting ones but add more noise to the MP/jakarta ecosystem.

Just my 2 cts indeed.

Romain Manni-Bucau
@rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book

Le dim. 6 nov. 2022 à 08:36, Hamed Hatami <hamedhatami2012@xxxxxxxxx> a écrit :

Hi all 

I also think, JWT would be really necessary to be added to Jakarta EE and I guess MicroProfile is nifty 

BR,

Hamed

On Sun, Nov 6, 2022, 08:25 Rudy De Busscher <rdebusscher@xxxxxxxxx> wrote:

Yes, my reply could be interpreted otherwise as intended.

MicroProfile JWT does not rely on Servlet and Jaspic today.  If we integrate the spec into Jakarta Security, it does require it and this means several runties are no longer able to implement it.

Rudy

On Sat, 5 Nov 2022 at 18:16, arjan tijms <arjan.tijms@xxxxxxxxx> wrote:

Hi,

On Saturday, November 5, 2022, Rudy De Busscher <rdebusscher@xxxxxxxxx> wrote:

Integration into Jakarta Security is not a valid approach as that one has dependencies on Servlet and JASPIC which we don't have for MicroProfile.

Integration into Jakarta Security itself is valid, as Jakarta EE and Jakarta Security have no issues with Servlet and the authentication Servlet container profile. So we can copy JWT to Jakarta Security without any problems.

But I think you mean something else here? 

Kind regards,

Arjan Tijms

 

Moving the Spec to Jakarta like what is done now for Config is a valid approach and recommended in my opinion and this seems logical for most developers (especially now that we have the Core profile that is created specifically to bring over the MicroProfile specs) 

Regards

Rudy

 

On Sat, 5 Nov 2022 at 00:39, Emily Jiang via jakartaee-platform-dev <jakartaee-platform-dev@xxxxxxxxxxx> wrote:

+1 on what David said!

We should not spend time copying and pasting from one spec to another as our end users are using both technologies together. Having two similar things in both places does not bring any additional value but confusion. We should focus our limited resources on the area that MicroProfile and Jakarta EE have not covered. Jakarta EE and MicroProfile should work together as a unit to gain more popularity and become more and more successful.

Thanks

Emily

On Fri, Nov 4, 2022 at 9:47 PM David Blevins <dblevins@xxxxxxxxxxxxx> wrote:

We could also go work on MP JWT and include that in our implementations?

-- 

David Blevins

http://twitter.com/dblevins
http://www.tomitribe.com

On Nov 4, 2022, at 12:12 PM, arjan tijms <arjan.tijms@xxxxxxxxx> wrote:

Hi,

In Jakarta Security we had long ago planned to include a JWT authentication mechanism. Some prototypes from around 2016 are still testimony to that.

Meanwhile, MicroProfile has specified JWT, and a couple of implementations of it (such as Payara, OmniFaces and SmallRye) are internally based on Jakarta Security.

We have discussed moving or copying MP specs to EE before, but nothing concrete has been established. Therefore I wonder how to proceed here. 

Do we copy over the MP JWT spec to a section in Jakarta Security and somehow keep them in sync?

Or do we reference the MP JWT spec from the Jakarta Security spec with text like: a compliant implementation should provide an authentication mechanism that behaves exactly like MP JWT with the following differences…

Or something else?

Thoughts?

Kind regards,

Arjan Tijms

_______________________________________________
es-dev mailing list
es-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/es-dev

_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev

--

Thanks
Emily

_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev

_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev

_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev

_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev