- The bridge spec would be actually a subset of MP JWT and Jakarta Security
- The part of the MicroProfile JWT spec, which the proposal refers to, would be moved to this new bridge spec
- The parts related to Jakarta Security would be added to the Jakarta Security spec directly
- Both Jakarta Security and MicroProfile JWT would depend on this bridge spec, which specifies a common format of the JWT, validation and handling of the JWT
As a result, the spec would reside in Jakarta EE and it would define basically only the common format of the JWT, validation and handling of the JWT. Jakarta Security would define @JwtAuthenticationMechanismDefinition and injecting claims on top of it. MicroProfile JWT would define JsonWebToken on top of it and means of configuration using Microprofile Config.
If we'd like to make it even simpler, the whole bridge spec could be part of Jakarta Security, which would define it as a profile or a subspec. Then MicroProfiel would require only this profile/subspec of Jakarta Security.
I'm proposing this with the assumption that the format of the JWT, validation and handling of the JWT is already pretty stable in MicroProfile JWT and it would rarely or never need to be updated. Then it doesn't matter if it stays in MP JWT or in Jakarta EE and it would greatly simplify the solution for Jakarta Security and MicroProfile JWT interlock.
Ondro