> On Feb 27, 2019, at 10:11 AM, COURTAULT Francois > <francois.courta...@gemalto.com> wrote: > > My understanding is: > > · If the JWT only have the required custom claim groups and let's say > we have in this one "group1", "group2", "group3", it means that, if no > mapping is provided, > the entity represented by the jwt has the roles "group1", "group2", "group3". > Is it right ?
Correct. > · In the spec, §4.2 Additional Claims, we may have a new custom claim > "roles" (example provided at page 12 "auditor", "administrator"). > It means that the entity represented by the jwt has the roles "auditor" and > "administrator" and belongs to the groups > "red-group","green-group","admin-group". > Is it right ? This is not specified. The long and short is we (MP-JWT spec group) couldn't agree on if the claim in the token should be called 'roles' or 'groups'. We opted for 'group' with the intent to provide some flexibility to the implementation. To your question below, the implementation in TomEE uses the 'groups' as the roles and there is no way to specify additional mapping in the server itself. Currently, you'd have to do that in the app (or contribute some functionality so it's done in the server). Were that functionality to exist, your interpretation is certainly one mode we could use. Really there are only two logical modes (theoretically) - Take the explicitly mapped roles, don't add the "implicit" roles (groups) - Take the explicitly mapped roles, add them on top of the "implicit" roles Coming back to the "4.2 Additional Claims" section. I wrote that particular section (Scott wrote most the main chapters) wanting to put a stake in the sand that this may show up in a future revision of the spec. Given the thoughts above, probably what would make the most sense is to implement something and see how it goes, then come back to the MP JWT spec with a proposal. If you had to chose, which policy above would you want? -David > > BTW, how and where to declare the groups and roles mapping in TomEE ? in > openejb-jar.xml ? other location ? > > Best Regards. > ________________________________ > This message and any attachments are intended solely for the addressees and > may contain confidential information. Any unauthorized use or disclosure, > either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission free > from viruses, the sender will not be liable for damages caused by a > transmitted virus.
