You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by GitBox <gi...@apache.org> on 2022/09/11 09:24:38 UTC

[GitHub] [cxf] arthurchan35 commented on a diff in pull request #990: specs says type in header should at+jwt

arthurchan35 commented on code in PR #990:
URL: https://github.com/apache/cxf/pull/990#discussion_r967792936


##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java:
##########
@@ -646,7 +647,12 @@ protected String processJwtAccessToken(JwtClaims jwtCliams) {
         // It will JWS-sign (default) and/or JWE-encrypt
         OAuthJoseJwtProducer processor =
             getJwtAccessTokenProducer() == null ? new OAuthJoseJwtProducer() : getJwtAccessTokenProducer();
-        return processor.processJwt(new JwtToken(jwtCliams));
+
+        JwsHeaders jwsHeaders = new JwsHeaders();

Review Comment:
   Hi @reta, thanks for the review!
   
   According to RFC 9068 sections 2.1 and section 4,  a JWT access token must be signed, **optionally** encrypted. As I interpret the comment, it means the same thing as specs required?
   
   Regarding JoseType and JoseConstants, I will look into them bit more.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@cxf.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org