Hi, Speaking of competing specs and Projects Red Hat does under the Eclipse Foundation: Vertx also a competing Project to Wildfly or Quarkus talks about JWT RBAC: https://vertx.io/docs/vertx-auth-oauth2/java/#_role_based_access_control Role Based Access ControlOAuth2 is an AuthN protocol, however OpenId Connect adds JWTs to the token format which means that AuthZ can be encoded at the token level. Currently there are 2 known JWT AuthZ known formats: - Keycloak
- MicroProfile JWT 1.1 spec (from the auth-jwt module)
Meaning Keycloak does not fully comply to or use MP JWT either ;-) Kind Regards, Werner For specification projects in a related space, the existence of more than one needs to be justified. There is a reason everyone involved in specification/standards work raises this well trodden satire out at some point:
So what do you propose instead then? Having a Jakarta Full-profile or so that includes both EE and MP? As a Jakarta EE user, we can now freely use Form, Basic, Open ID Connect, but not JWT. Even when a MP profile JWT implementation is added, it's not necessarily based on Jakarta Security. Even in a Jakarta EE server that already includes MP components, its JWT implementation does not necessarily have to be Jakarta Security based. Meaning, things like additional identity stores, interceptors, etc are not being picked up for JWT or may even clash. |