Closed jensschirmer closed 3 years ago
@jensschirmer thanks for this issue and your detailed description and suggestions for improvement. I fully agree and will support that we get a PR for this. IMHO we should do the following:
roles
- however, if I corrently assume that this feature of devon4j is not widely used and you are referring to standards that imply groups
would be a better default, I am also happy to change the default and document in the ChangeLog so projects can simply add a configuration to roles
to keep their app compatible.groups
+ String-Array.@jensschirmer I just created a PR implemeting this. If you could give review feedback this would be very much appreciated.
@hohwille : It looks good to me.
Official release is planned in ~2 weeks. From tomorrow on you can already test the feature via CI SNAPSHOT: https://github.com/devonfw/devon4j/blob/master/documentation/guide-testing-snapshots.asciidoc
As a developer, I want that the module security-jwt support the claim groups from the microprofile jwt.
In the security-jwt module of devonfw, the JwtAuthenticatorImpl class expects in line 38 that the roles in the JWT claim "roles" are stored as a comma-separated string. Similarly, this is written back into the token in the JwtCreatorImpl class in line 50 . In the specification of JWT RFC 7519 , there is no attribute in the Registered Claims area that covers the functionality of the roles. For the Public Claims, which are registered with the IANA, there is also no corresponding attribute. In order to eliminate this uncertainty, the Microproflie JWT was created (see https://www.eclipse.org/community/eclipse_newsletter/2017/september/article2.php). There, the claim "groups is defined, which defines the corresponding roles as a string array. In the security-jwt module, a possibility should be created to read out this claim and fill it again. This should also help to support Keycloak. By default, Keycloak writes the roles into the realm_access claim and the permissions are stored there as an array string in the map with the key roles. This can be mapped to the "groups" claim in Keycloak using a mapper.
ATTENTION: For backward compatibilty when upgrading from older devon4j versions to version
2021.04.003
you should add the following configuration to yourapplication.properties
if you want to preserve the old behaviour: