Proposal: Assert Identity via JWT Header

[andrewstuart]

I propose that we standardize on providing original user identity assertions in a signed JWT format, and that it be included only in the Authorization header as a bearer token, rather than request body.

Signatures should be generated using RSA (256+) so that they can be easily validated by consumers without exposing uPortal's private key.

Reasons I would argue for a singular location and format:

• Uses a pre-existing and well-defined web standard to provide core id assertions
  • JWT implementations are already available for most languages
  • Signing (and encryption) format is well-defined and much simpler than, for example, xmldsig.
• Simplify implementation on uPortal as well as soffit providers
• Simplify implementation for server:server as well as browser:server communications
• Standardize community expectations for higher portability
  • Tradeoff here is flexibility, as always when optimizing for portability

[drewwills]

Sounds very plausible; let's talk.

[andrewstuart]

Yeah, definitely. I won't be in the office for a few weeks, though (new baby tomorrow and WFH today), so I figured this would be a great place to get started. @bjagg, I think you may have comments to add here based on the mailing list discussion.

[drewwills]

This idea has been kicked around between Andrew, Brandon (Oakland), Aaron (Oakland), and myself. Wee all like it -- the code has been updated to work this way. Closing this ticket.