Open tofflos opened 6 years ago
vanuatoo
commented
2 years ago This issue is very important. We've got one back-end for several front-ends. Admin panel, website, api and we use different mechanisms for each. Cookie for admin panel, OIDC for website, token for API and we have to mix all the logic in one class.
m-reza-rahman
commented
2 years ago This is a very common requirement. It would be great to get it addressed.
arjantijms
commented
2 years ago Indeed, this is an extremely common requirement. We also should balance this with at least the other "multi authentication mechanism" requirement, which is for "log in with" types of dialogs, e.g. login with Github, login with email, etc.
arjantijms
commented
2 years ago P.s. there's multiple ways to go about the implementation. My gut feeling says it's easies to leave the SPI (Jakarta Authentication) alone, and implement this by putting requirements on the bridge authentication module and the rest of Jakarta Security.
darranl
commented
2 years ago +1 on looking at this being a part of Jakarta Security otherwise we could trace this all the way back to the servlet specification where one mechanism per deployment is specified.
The use case would be writing a JAX-RS endpoint that provides an API, some HTML/JS that provides an UI on top that API, and then bundling them together as a single application. I would then like to offer BASIC authentication for "machines" interacting directly with the API and FORM-based authentication for "humans" interacting indirectly via the UI.
This type of functionality was mentioned in javaee/security-spec#37 but I couldn't find a dedicated issue: