Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-platform-dev] [jakarta-security-dev] Jakarta Security and MicroProfile JWT interlock call

Hi,

I'm sorry I couldn't attend the call, I was unexpectedly travelling on Thursday.

I read the google doc with the draft and I have a few thoughts. I understand the following, please correct me if I'm wrong:
  • The new bridge spec would introduce @JwtAuthenticationMechanismDefinition. This annotation doesn't make much sense with Microprofile JWT and would be ignored in a pure MicroProfile runtime. It would only work in a Jakarta EE runtime, right?
  • No other APIs would be defined by the bridge spec
  • The bridge spec would define that runtimes must comply with some non-API parts of MicroProfile JWT spec
  • The bridge spec defines accessing claims via Jakarta SecurityContext, which again makes sense only in a Jakarta EE runtime, not in a pure MicroProfile runtime
If all above is correct, then I have an idea to simplify all of this:
  • The bridge spec would be actually a subset of MP JWT and Jakarta Security
  • The part of the MicroProfile JWT spec, which the proposal refers to, would be moved to this new bridge spec
  • The parts related to Jakarta Security would be added to the Jakarta Security spec directly
  • Both Jakarta Security and MicroProfile JWT would depend on this bridge spec, which specifies a common format of the JWT, validation and handling of the JWT
As a result, the spec would reside in Jakarta EE and it would define basically only the common format of the JWT, validation and handling of the JWT. Jakarta Security would define @JwtAuthenticationMechanismDefinition and injecting claims on top of it. MicroProfile JWT would define JsonWebToken on top of it and means of configuration using Microprofile Config.

If we'd like to make it even simpler, the whole bridge spec could be part of Jakarta Security, which would define it as a profile or a subspec. Then MicroProfiel would require only this profile/subspec of Jakarta Security.

I'm proposing this with the assumption that the format of the JWT, validation and handling of the JWT is already pretty stable in MicroProfile JWT and it would rarely or never need to be updated. Then it doesn't matter if it stays in MP JWT or in Jakarta EE and it would greatly simplify the solution for Jakarta Security and MicroProfile JWT interlock.

Ondro


On Thu, May 11, 2023 at 11:29 PM Emily Jiang <emijiang6@xxxxxxxxxxxxxx> wrote:
Further to today's call, I have started a googledoc to draft the proposal that we are going to either submit to Jakarta EE or MP. Please directly comment on the proposal and we will iterate on it. We will try to finalise the proposal in the next call and start the specification.

Thanks
Emily

On Thu, May 11, 2023 at 2:24 PM Emily Jiang <emijiang6@xxxxxxxxxxxxxx> wrote:
A quick reminder to say the upcoming call is today at 4:00pm BST time. Hope to see you there!


Minutes here

Thanks
Emily


On Thu, Apr 20, 2023 at 4:23 PM Emily Jiang <emijiang6@xxxxxxxxxxxxxx> wrote:
Today we had another call to discuss this topic further. Since the time slot is too early for US folks, the attendance was quite low. Please see our discussion in the minutes and the recording will be added to the minutes soon. Please add your comments either on this list or on the doc. We discussed the future call time and agreed to delay the call for 2 hours so that more people can join next time. The next call will be at 11th May 16:00BST and then occur every other week due to travelling and meeting clashes. I will send a reminder email when the time is closer. Please let me know if you have any questions/or concerns.
Thanks
Emily


On Wed, Apr 12, 2023 at 8:37 PM Emily Jiang <emijiang6@xxxxxxxxxxxxxx> wrote:
As promised, I have scheduled a few weekly calls for this topic. The joining details can be found here (please see the meetings on Thursdays). The meeting will start on 20th April 2:00pm UK time.

Thanks,
Emily

On Wed, Mar 15, 2023 at 10:08 PM Emily Jiang <emijiang6@xxxxxxxxxxxxxx> wrote:
Thank you all for attending today's meeting and contributing your thoughts! We had a very productive conversation with the agreed mission to solve.The minutes can be accessed here. Please add your comments on the doc especially if you could not attend today's call. The link to the recording can be found from the minutes. We will have a few regular subsequent calls after we have all got into summer time saving mode.

In the meantime, please discuss this on this thread or on the minute doc.

Thanks
Emily

On Mon, Mar 13, 2023 at 10:19 PM Emily Jiang <emijiang6@xxxxxxxxxxxxxx> wrote:
Thank you to the ones who registered your availability! The most voted slot is Wednesday 15th March 5:00-6:00pm GMT. I have created a meeting invitation on the MicroProfile calendar here. The call will be recorded and the recording will be made available in due course.
Thanks
Emily

On Wed, Mar 8, 2023 at 5:50 PM Emily Jiang <emijiang6@xxxxxxxxxxxxxx> wrote:
We discussed the topic of "Jakarta Security and MicroProfile JWT" in various threads. You can read some discussion here.

I would like to volunteer to move this issue forward via chairing some calls to discuss the technical solutions for this issue. I have created this doodle pool for anyone who is interested in the discussion of the issue where Jakarta security uses MicroProfile JWT. We had some internal conversations in IBM and will present a couple of options to this issue and would like to hear some feedback from you. Please register your interest and availability so that I can schedule a call accordingly.

Thanks
Emily

--
Thanks
Emily



--
Thanks
Emily



--
Thanks
Emily



--
Thanks
Emily



--
Thanks
Emily



--
Thanks
Emily



--
Thanks
Emily

_______________________________________________
jakarta-security-dev mailing list
jakarta-security-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top