tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Blevins <david.blev...@gmail.com>
Subject Re: MP JWT propagation specification clarification
Date Wed, 27 Feb 2019 23:10:01 GMT
> On Feb 27, 2019, at 10:11 AM, COURTAULT Francois <Francois.COURTAULT@gemalto.com>
wrote:
> 
> My  understanding is:
> 
> ·         If the JWT only have the required custom claim groups and let's say  we have
in this one "group1", "group2", "group3", it means that, if no mapping is provided,
> the entity represented by the jwt has the roles "group1", "group2", "group3". Is it right
?

Correct.

> ·         In the spec, §4.2 Additional Claims, we may have a new custom claim "roles"
(example provided at page 12 "auditor", "administrator").
> It means that the entity represented by the jwt has the roles "auditor" and "administrator"
and  belongs to the groups "red-group","green-group","admin-group".
> Is it right ?

This is not specified.  The long and short is we (MP-JWT spec group) couldn't agree on if
the claim in the token should be called 'roles' or 'groups'.  We opted for 'group' with the
intent to provide some flexibility to the implementation.  To your question below, the implementation
in TomEE uses the 'groups' as the roles and there is no way to specify additional mapping
in the server itself.  Currently, you'd have to do that in the app (or contribute some functionality
so it's done in the server).

Were that functionality to exist, your interpretation is certainly one mode we could use.
 Really there are only two logical modes (theoretically)

 - Take the explicitly mapped roles, don't add the "implicit" roles (groups)
 - Take the explicitly mapped roles, add them on top of the "implicit" roles

Coming back to the "4.2 Additional Claims" section.  I wrote that particular section (Scott
wrote most the main chapters) wanting to put a stake in the sand that this may show up in
a future revision of the spec.  Given the thoughts above, probably what would make the most
sense is to implement something and see how it goes, then come back to the MP JWT spec with
a proposal.

If you had to chose, which policy above would you want?


-David


> 
> BTW, how and where to declare the groups and roles mapping in TomEE ?  in openejb-jar.xml
? other location ?
> 
> Best Regards.
> ________________________________
> This message and any attachments are intended solely for the addressees and may contain
confidential information. Any unauthorized use or disclosure, either whole or partial, is
prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message
if altered, changed or falsified. If you are not the intended recipient of this message, please
delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission free from viruses,
the sender will not be liable for damages caused by a transmitted virus.


Mime
View raw message