Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-platform-dev] Moving MicroProfile JWT to Jakarta Security?

I agree with Arjan here, the functionality of MP JWT would normally be in Jakarta Security if it wasn't delayed so much. The same applies to some other specifications in MP, e.g. Rest client is basically an extension to Jakarta REST and all of it would be natural to have in Jakarta REST. Config was planned for Java EE 8 but didn't make it, and then it was created in MP. But for a long time it was desired in Java EE and Jakarta EE, and the fact that it's now in MP shouldn't block adding Config to Jakarta EE.

I also agree with David and the CN4J document that we shouldn't duplicate the effort. But the CN4J document also states that specs can move between working groups freeley, so MP JWT can move to Jakarta if it makes sense.

What I would like is that MP JWT moves to Jakarta Security and Jakarta Security creates a lite profile, which could be included in Jakarta Core Profile, and thus in MicroProfile. In the same way as CDI created a new lite profile which will replace full CDI in MicroProfile 6.0.

With this approach, plain Jakarta EE would have a solution for JWT and many other authentication mechanisms, without relying on Microprofile. And yes, there are still plain Jakarta EE implementations without Microprofile or with just parital MicroProfile support. Also, keep in mind that the Jakarta Security team planned to support JWT for a long time and relying on MicroProfile is not an ideal option here in the long run.

Microprofile would still include only JWT, without the remaining parts of Jakarta Security and potential dependency on Servlet.

Any objections to this approach?

All the best,
Ondro Mihalyi

Director, Jakarta EE expert
OmniFish - Jakarta EE Consulting & Support |
Omnifish OÜ, Narva mnt 5, 10117 Tallinn, Estonia | VAT: EE102487932

On Wed, Nov 9, 2022 at 3:32 PM arjan tijms <arjan.tijms@xxxxxxxxx> wrote:

On Tue, Nov 8, 2022 at 9:55 PM David Blevins <dblevins@xxxxxxxxxxxxx> wrote:
MP JWT does define bindings for EJB, Servlets, JACC, JASPIC, etc.

True, although essentially spelling out everything is unnecessary if one just says that MP JWT in a Jakarta EE environment is/exposes itself as an Jakarta Security Authentication Mechanism. All those other things then follow from that. Specifically this authentication mechanism bit is missing there. I do see identity store being mentioned, and perhaps it comes from the confusion that many people have between the concept of an authentication mechanism (FORM, BASIC, etc) and an identity store (DB, LDAP, FILE, etc). 

# Procedural

In CN4J we did agree to some technical principles.  One of them is that duplication should be avoided.

That is basically a good thing. The problem here is a little that MP JWT in a sense "hi-jacked" the JWT authentication mechanism from underneath Jakarta Security. Of course it's not that black and white in practice, and there were many valid arguments for MP to introduce JWT in the way it did. But the matter of fact remains that Jakarta Security planned for a number of authentication mechanisms that went beyond the ones provided by servlet, such as Open ID Connect (OAuth) and JWT. 

These didn't make it into 1.0, and because of the move to Eclipse the new features effort was stalled for years. In that timeframe JWT was introduced in MP. Currently Jakarta EE is open for new features again, but it finds some features are now "controversial" only because MP implemented them in the meantime. Again, there was no malintent (I was even part of the original MP JWT team then), but it's an unfortunate situation.

Kind regards,
Arjan Tijms



Copying MP JWT would violate the principles we agreed on.  The process for getting agreement between the two groups for a move is basically:

 - Create a proposal and get a member of each WG to sponsor (endorse) it
 - Once sponsored, both WGs independently vote to approve it
 - If both WGs agree, it can move forward

Hope this helps.


jakartaee-platform-dev mailing list
To unsubscribe from this list, visit
jakartaee-platform-dev mailing list
To unsubscribe from this list, visit

Back to the top