Hi
Thanks for experimenting with the JWT authentication filter, but it is
not exactly tailored for the use in OAuth2 flows, let me clarify.
JWT (claims) is one way to have a given access token represented
*internally*. An access token can be a DB pointer to some custom table,
or may be an encrypted set of JWT claims. It is still a Bearer token
though.
Of course, other types of tokens are possible, such as PoP tokens which
have been standardized recently, in CXF we currently support Hawk
schemes, but even in those schemes it can be JWT claims that are used
internally.
So, speaking of the access tokens, they are typically Bearer (or
PoP/etc) access tokens, whether JWT claims are used to represent them or
not is somewhat orthogonal.
We have some code in place though to support JWT assertions which
represent a given client's authentication credentials and can be used,
but these JWT assertions are not the tokens, the end result there is
that the OAuth2 server will still return a Bearer/PoP/etc token
http://cxf.apache.org/docs/jaxrs-oauth2-assertions.html
JwtAuthenticationFilter is meant to be used in regular client server
communications, the JWT scheme there is not related to OAuth2 flows, for
example, the client obtains a JWT assertion, and uses it to
authenticate, and may be also link it to the JWS/JWE secured payload...
Does it help ?
Sergey
On 19/02/16 04:24, Rajan1311 wrote:
Hi,
I am still pretty new at this, so might have not understood this correctly.
I am trying to protect my API via ouath. I basically need 2 types of flow,
one is a client credentials, where a client can dynamically register and
then access their resources. For this, I have followed the documentation and
have successfully implemented the same. I am using a bearer token for this.
Next I would need a JWT which my clients would generate and then use them. I
have created an SDK which is used by my clients to create JWTs. Based on the
information within the JWT, the bearer of this token can get access to the
clients resource.
So, I need to support 2 types of tokens - Bearer and JWT tokens. I did a
little bit of searching but was left confused. I tried using the
org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter (registered it
as a filter in the service I want to protect), which checks for the validity
of the JWT token, but it would block requests made with the bearer token. I
am not sure how to proceed from here. Should I create a custom token
validator for my OAuth filter ?
Thanks
Rajan
--
View this message in context:
http://cxf.547215.n5.nabble.com/Support-both-Bearer-and-JWT-tokens-tp5766050.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
