You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2018/08/22 14:27:00 UTC
[jira] [Resolved] (CXF-7806) Add option to create JWT access tokens
without persisting them
[ https://issues.apache.org/jira/browse/CXF-7806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved CXF-7806.
--------------------------------------
Resolution: Fixed
> Add option to create JWT access tokens without persisting them
> --------------------------------------------------------------
>
> Key: CXF-7806
> URL: https://issues.apache.org/jira/browse/CXF-7806
> Project: CXF
> Issue Type: Task
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 3.1.17, 3.2.7
>
> Attachments: CXF-7806-RT-3.1.patch, CXF-7806-RT.patch, CXF-7806-systests.patch
>
>
> Right now for the OAuth 2.0 data provider, we can issue access tokens in JWT format by specifying the "useJwtFormatForAccessTokens" property. However this persists the encoded JWT token, something that is problematic with the JPA provider as the Id column of the AccessToken class can't handle the size of the token.
> I propose to add a new property called "persistJwtEncoding" to be used in conjunction with "useJwtFormatForAccessTokens". By default "persistJwtEncoding" is true for backwards compatibility reasons.
> When "persistJwtEncoding" is false, then the AccessToken that is persisted just contains the Id (opaque String) as for the non-useJwtFormatForAccessTokens case. However, the JWT-encoded access token is returned to the client.
> For the AbstractAccessTokenValidator and the TokenIntrospectionService, we can also set "persistJwtEncoding" to false to validate and parse the received token into a JWTToken. The Id is then extracted from the token and used to retrieve the access token from storage.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)