Open tomas-langer opened 5 years ago
The OIDC provider should probably contain the superset of functionality, so I would keep that one as the base. JWT could be removed, as long as the configuration of the OIDC is as simple as the one of JWT.
Example of problematic onfiguration:
# these are not needed when redirect is disabled and we use local JWK!, yet we MUST configure them
identity-uri: "http://not-present-at-all.com"
client-id: "wrong"
client-secret: "also wrong"
token-endpoint-uri: "http://not-present-at-all.com"
authorization-endpoint-uri: "http://not-present-at-all.com"
# these are needed
redirect: false
cookie-use: false
header-use: true
sign-jwk-resource-path: "verify-jwk.json"
oidc-metadata-well-known: false
audience: "http://localhost:8087/jwt"
As part of refactoring of providers to synchronous/blocking APIs, this needs to be resolved.
We currently have 3 providers that use JWT - OidcProvider, JwtProvider and JwtAuthProvider. There is a set of common functionality used in each of these that is duplicated.
Environment Details
Tasks:
JwtProvider
OidcProvider
to support currentJwtProvider
use casesJwtAuthProvider
(MP JwtAuth spec implementation) could re-use code fromOidcProvider