myndocs / kotlin-oauth2-server

Flexible OAuth2 server library. Support for multiple frameworks
Apache License 2.0
151 stars 25 forks source link

JWT Support #42

Closed Savrov closed 5 years ago

Savrov commented 5 years ago

Is your feature request related to a problem? Please describe. Add JWT feature for AccessToken. It will be great for a case when I have an auth server where I validate user and data server, where I would like to get content by userId (which can be stored in JWT payload) and expireAt (from JWT's "iat").

Describe the solution you'd like There will be an option to switch between UUID AccessToken and JWT AccessToken. All fields of AccessToken like "username", "clientId" can be stored inside JWT payload.

Describe alternatives you've considered The only opportunity I've found to do it is to override AccessTokenConverter, and for field "accessToken" generate a JWT string.

palmenhq commented 5 years ago

Just as a reference it's totally possible to writ your own AccessTokenConverter. I'm experimenting with this and am making a PoC that solves this.

Edit: Woops, didn't read through the issues properly hehe. I'll drop this link here anyways in case someone would care.

adhesivee commented 5 years ago

I will try to create JWT implementation for this. But I am not sure on how I would create particular things. For example for the AccessTokenConverter it needs a JWT implementation like auth0, but I want to avoid to expose the library itself to much, so I need to abstract it somehow. A good candidate is also to use JWT with is RefreshTokenConverter. This could then also store expiration for the refresh token.

adhesivee commented 5 years ago

I am trying to implement JWT here. The implementation is leaning strongly against the implementation of com.auth0:java-jwt. JwtAccessTokenConverter and JwtRefreshTokenConverter will set:

By using jwtConfiguration: (JWTCreator.Builder) -> JWTCreator.Builder it should still be possible to add claims/configuration yourself. An important thing is that the Algorithm has to be provided outside of these classes. For me it wouldn't make much sense to create something here. So it will look like:

Algorithm algorithm = Algorithm.HMAC256("secret")

val accessTokenConverter = JwtAccessTokenConverter(algorithm)

I need to build something to allow the implementor to remove the claims I set here. It could be the case they don't want to use this at all. @Savrov Is this something you could use, or did you expect something else?