Hello, Reading the JWT propagation 1.0 specification, it is mentioned :
· Chapiter 4: "groups": The token subject's group memberships that will be mapped to Java EE style application level roles in the MicroProfile service container." · Chapiter 4 §4.1 Minimum MP-JWT Required Claims (page 9): "This typically will required a mapping at the application container level to application deployment roles, but a one-to-one between group names and application role names is required to be performed in addition to any other mapping." My understanding is: · If the JWT only have the required custom claim groups and let's say we have in this one "group1", "group2", "group3", it means that, if no mapping is provided, the entity represented by the jwt has the roles "group1", "group2", "group3". Is it right ? · In the spec, §4.2 Additional Claims, we may have a new custom claim "roles" (example provided at page 12 "auditor", "administrator"). It means that the entity represented by the jwt has the roles "auditor" and "administrator" and belongs to the groups "red-group","green-group","admin-group". Is it right ? BTW, how and where to declare the groups and roles mapping in TomEE ? in openejb-jar.xml ? other location ? Best Regards. ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
