Helping on TOMEE-3948 in some way, sounds good to me . I'll start by reviewing the Spec and then the TCK.
Regarding the Spec, I found this <https://download.eclipse.org/microprofile/microprofile-jwt-auth-2.0/microprofile-jwt-auth-spec-2.0.html> so I assume that's where the spec is published, but for the TCK I got this: Projects (tck.work) <https://tck.work/tomee/projects> which is for TomEE, but did not find the microprofile TCK so I guess it is for Jakarta EE only. So for the Eclipse Microprofile is there a TCK built in a different workspace? El mar, 10 may 2022 a las 18:11, David Blevins (<[email protected]>) escribió: > Hi Memo! > > First, thanks for volunteering! Thrilled to work on this with you. > > On TOMEE-3952, are you open to a different task? One of the first things > I'll do with TOMEE-3947 is replace the code that parses keys and either our > code will conflict and I'll likely end up needing to rewrite your code. > > Are you at all interested in exploring the spec requirements around > TOMEE-3948? I've never worked with encrypted JWTs before, so if you > haven't either we're both equally unprepared :) > > What would be really useful is having you read that part of the spec, look > at the TCK to see what kind of encrypted tokens there are, then see if you > can create some code in TomEE to decrypt the token (ideally not adding a > dep on another library). Doesn't matter if the code is wired into TomEE or > duplicates code in TomEE, I can help with that part. You could just throw > the code anywhere under here: > > - > https://github.com/apache/tomee/tree/master/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt > > And add a test case here: > > - > https://github.com/apache/tomee/tree/master/mp-jwt/src/test/java/org/apache/tomee/microprofile/jwt > > The test can be a plain java, no-tomee, test that decrypts the encrypted > JWTs from the TCK. The JWTs and keys could just be copy/pasted into the > test case. That would help me see what needs to be done and have that > first prototype of code to work from to see what would need to get wired in > and where. We could potentially collaborate on that part too. > > Does that sound like something that would be fun to work on? > > > -David > > > > On May 10, 2022, at 3:33 PM, Memo Díaz Solis <[email protected]> wrote: > > > > Hello David. I'd like to work on some of them. So if you don't mind, I'd > > like to start with TOMEE-3952. > > > > > > > > El mar, 10 may 2022 a las 12:00, David Blevins (<[email protected] > >) > > escribió: > > > >> I'm starting to take a look at what we need to implement MicroProfile > JWT > >> 2.0 support. > >> > >> There are no new requirements in 2.0 itself. That version was largely > >> created to communicate MicroProfile overall upgraded from Jakarta EE 8 > to > >> 9.1. > >> > >> There are a handful of new requirements 1.2 we have yet to implement. I > >> dug through the spec and made this list: > >> > >> - TOMEE-3947 Elliptic Curve ES256 signature algorithm > >> - TOMEE-3948 Decryption of JWTs using RSA-OAEP and A256GCM algorithms > >> - TOMEE-3949 Support for JWT audience aud claim > >> - TOMEE-3950 Support for JWT token cookies > >> - TOMEE-3951 JWT token groups claim is now optional > >> - TOMEE-3952 Deprecate RSA keys of 1024 bit length > >> > >> These all sit as subtasks of this JIRA issue: > >> > >> - https://issues.apache.org/jira/browse/TOMEE-3946 "MicroProfile JWT > 2.0 > >> Support" > >> > >> I'm grabbing TOMEE-3947 Elliptic Curve ES256 signature algorithm > >> > >> If anyone would like to work on any of the other items, let me know and > >> I'll assign it to you. > >> > >> > >> -David > >> > >> > >
