Security: Refactor providers that use JWT

helidon-io / helidon

Java libraries for writing microservices

https://helidon.io

Apache License 2.0

3.5k stars 566 forks source link

Security: Refactor providers that use JWT #478

Open tomas-langer opened 5 years ago

tomas-langer commented 5 years ago

We currently have 3 providers that use JWT - OidcProvider, JwtProvider and JwtAuthProvider. There is a set of common functionality used in each of these that is duplicated.

Environment Details

Helidon Version: 1.0.0
Helidon SE

Tasks:

[ ] Add deprecation for JwtProvider
[ ] Simplify configuration of OidcProvider to support current JwtProvider use cases
[ ] See if JwtAuthProvider (MP JwtAuth spec implementation) could re-use code from OidcProvider

tomas-langer commented 4 years ago

The OIDC provider should probably contain the superset of functionality, so I would keep that one as the base. JWT could be removed, as long as the configuration of the OIDC is as simple as the one of JWT.

Example of problematic onfiguration:

        # these are not needed when redirect is disabled and we use local JWK!, yet we MUST configure them
        identity-uri: "http://not-present-at-all.com"
        client-id: "wrong"
        client-secret: "also wrong"
        token-endpoint-uri: "http://not-present-at-all.com"
        authorization-endpoint-uri: "http://not-present-at-all.com"
        # these are needed
        redirect: false
        cookie-use: false
        header-use: true
        sign-jwk-resource-path: "verify-jwk.json"
        oidc-metadata-well-known: false
        audience: "http://localhost:8087/jwt"

tomas-langer commented 2 years ago

As part of refactoring of providers to synchronous/blocking APIs, this needs to be resolved.