MicroProfile JWT 1.1 Support

In  microprofile

Overview

This proposal is in relation to adding support to WildFly for the MicroProfile JWT 1.1 specification.

Issue Metadata

Issue

Dev Contacts

QE Contacts

Testing By

[ ] Engineering

[ x ] QE

Affected Projects or Components

The primary integration will be happening by the addition of a new subsystem microprofile-jwt-smallrye within WildFly.

Additional integration will be added within WildFly Elytron to bridge into the application server’s security framework. This additional integration is specifically to achieve the delivery of support for MicroProfile JWT 1.1, potential new functionality that we identify would be picked up in future enhancements.

Other Interested Projects

The integration will also be making use of SmallRye JWT as well as pulling in the Eclipse MicroProfile JWT API library.

Requirements

Hard Requirements

This enhancement is focused on adding support for the MicroProfile JWT 1.1 specification within WildFly. During development additional opportunities may be identified to provide additional functionality, any such opportunities will be tracked within the WFLY Jira project and reviewed at the end of this enhancement rather than allowing the scope of this enhancement to grow.

Primarily this enhancement will be delivered using a new subsystem microprofile-jwt-smallrye which will be added to WildFly. The subsystem will install a DeploymentUnitProcessor which will detect if MicroProfile JWT is required and activate a suitable security configuration as described within this proposal.

The new subsystem initially will contain no configuration, it’s presence alone will enable support for MicroProfile JWT.

<subsystem xmlns="urn:wildfly:microprofile-jwt-smallrye:1.0"/>

Additionally the initial version of this subsystem will expose no operations and no attributes.

The default location to specify the authentication requirements is within the web.xml deployment descriptor, the MicroProfile JWT specification add a new annotation @org.eclipse.microprofile.auth.LoginConfig which allows a JAX-RS javax.ws.rs.core.Application to be annotated to specify the desired auth-method and realm-name.

During deployment, deployments will be scanned for a class extending Application annotated with the new @LoginConfig annotation - if the authentication configuration was not previously specified within the web.xml the configuration from this annotation will be used instead. If the authentication configuration has already been specified in the web.xml annotation scanning will be skipped as the configuration in the web.xml takes precendence over the annotation.

After the previous steps have completed if the resulting auth-method for the web application being deployed is MP-JWT the MicroProfile JWT integration will be activated as described further within this document, in all other cases no activation will occur and the deployment will continue using the existing security capabilities provided by the application server.

This activation scope is deliberately constrained to allow us to incrementally increase the scope at a later point.

The following steps will NOT occur if MicroProfile JWT has not been activated as described previously.

At the point activation occurs the deployment will not make use of a configured SecurityDomain instead a "Virtual" SecurityDomain will be created to meet the requirements of the deployment.

It is also possible that MicroProfile JWT is activated for a deployment that it itself a sub-deployment such as a war contained within an ear or in cases where the war contains items to be deployed in another container such as EJBs within the war. In all of these cases the common "Virtual" SecurityDomain will be used across all containers handling the deployment - by using a common SecurityDomain any identity established in one container will automatically propagate with any calls to the other containers without the need for any manual configuration.

Activation will add module dependencies as required on SmallRye JWT, Elytron JWT, and the MicroProfile JWT API.

Activation will also ensure activation of the SmallRye JWT CDI extension as well as the Elytron JWT CDI extension for Elytron specific overrides.

Finally activation will ensure the activation of the MP-JWT authentication mechanism for the deployment.

The combination of SmallRye JWT with Elytron JWT will be the pair of projects responsible for providing the functionality described in the MicroProfile JWT specification combined with tying in the integration to the application server’s security framework to ensure aspects such as identity association and establishment are correctly performed.

Once an identity has been established according to the steps described by the MicroProfile JWT specification the remaining security decisions required are covered by the relevant Jakarta EE specifications in use by the various subsystems.

Nice-to-Have Requirements

This section is deliberately empty, the intent of this enhancement is to integrate MicroProfile JWT support to WildFly. Once the initial integration is in place nice to have functionality can be added under individual enhancements with an appropriately constrained scope.

Non-Requirements

This integration will be making use of WildFly Elytron exclusively, no support will be added for the deprecated PicketBox project. Having said that the underlying security framework will be transparent for deployments developed according to the specification - the framework only becomes apparent if there is a desire to use vendor specific APIs.

This integration will not be supporting the use of pre-configured SecurityDomains, the general motivation to use MicroProfile JWT is to use an authentication mechanism where identities are self described using the tokens exchanged eliminating the need for configured security resources for the secured endpoint(s). Use cases could be identified where pre-configured resources add an additional benefit but those would be reviewed under their own enhancements.

It is assumed when working with the MicroProfile specifications that we will be supporting a single deployment, this deployment may contain sub-deployments. The SecurityDomain of each top level deployment will be isolated from the SecurityDomain of any parallel top level deployment. Advanced WildFly Elytron features such identity propagation across domains / top level deployments will not be supported. At a later point we could consider an enhancement to offer more control of the SecurityDomains in use but that is out of scope for this enhancement.

For this initial implementation propagation of identities is outside the current scope. The specification does make provision to access the token passed to the server so deployments can manually retrieve a token. Under WFLY-11868 enhancements are being provided to make use of the WildFly Elytron authentication client in RESTEasy, once available under a new RFE the microprofile-jwt subsystem can dynamically configure an AuthenticationContext configuration to automate propagation. This could also introduce a new feature to the client to allow a feature to convert it’s current configuration to obtain an alternative token.

It is assumed that any deployment making use of MicroProfile JWT will have already activated CDI, this enhancement will not activate CDI if the deployment has not already activated it.

Alternative Authentication Mechanisms

As this is quite a large topic it deserves it’s own heading, when discussing alternative authentication mechanisms we are really looking at mechanisms like FORM, SPNEGO, DIGEST etc…​

This enhancement will not be adding support for alternative authentication mechanisms to MP-JWT as this brings a lot of additional complexity. For this initial integration how we provide support for the MP-JWT mechanism should be largely transparent to the deployment allowing us to evolve this aspect further. Applications that require the use of these mechanisms can continue to use the existing security services offered by the application server.

Some of the issues we need to consider may be worthwhile discussing at the specification level.

Presently SmallRye JWT is making use of EE Security to provide an authentication mechanism. A big benefit of making use of EE Security is that a deployment can also make use of this specification to provide an @IdentityStore implementation as described in the MP JWT specification. Deployments also have the option of bringing in their own authentication mechanisms if they are not making use of MP-JWT.

However there are a couple of draw backs from the EE Security approach. A first drawback is this brings in dependencies on JASPI and JACC both of which must be correctly enabled on the server, the MP-JWT mechanism is a very trivial light weight mechanism so a lot of overhead is pulled in. A second draw back is that it should be possible for standard and vendor specific mechanisms to be specified, this brings us additional challenges as many of our mechanisms are native WildFly Elytron mechanisms. Making use of native mechanisms has it’s own complexities as we may need to bridge into using an @IdentityStore made available by CDI, alternatively this may require configuration of domains not covered by MicroProfile Config values. We could consider porting some of our vendor specific mechanisms to EE security but one of the features of our mechanisms is the ability to support multiple mechanisms concurrently which is not completely covered by EE security. The MP-JWT mechanism is also ideally suited to being used in parallel with other authentication mechanisms however we could end up in a situation with a hybrid of native mechanisms and an EE Security mechanism.

Overall these issues can be considered and solved, however I believe the primary motivation for activating MicroProfile JWT is to make use of the MP-JWT authentication mechanism so that will be the primary focus of this RFE.

Of the potential ongoing enhancements discovered as a result of this enhancement I believe alternative mechanisms is something we should pick up immediately on completion of this RFE, potentially initiating discussions around the JWT specification to clarify some of the intent.

Implementation Plan

The primary entry point for this enhancement will be a new subsystem microprofile-jwt-smallrye which will be added to the WildFly project. The WildFly project will also pull in SmallRye JWT as well as the MicroProfile JWT API.

Finally there will be an additional project Elytron JWT added to the WildFly Elytron project, this will also depend on SmallRye JWT, the purpose of this project will be to add any tighter integration required with the WildFly Elytron APIs. The contents of the Elytron JWT project will be considered private API and will be subject to change between releases.

If enhancements are required these will be submitted directly to the SmallRye JWT project, the Elytron JWT project will be a back up if we need a location to hold enhancements whilst the availability in SmallRye JWT is considered.

Overall this will lead to five new distinct modules being added to WildFly: -

  • org.eclipse.microprofile.jwt.auth.api - Public

  • io.smallrye.jwt - Private

  • org.wildfly.security.elytron-jwt - Private

  • org.wildfly.extension.microprofile.jwt-smallrye - Private

  • org.bitbucket.jose4j - Private

Test Plan

Within WildFly the TCK from the MicroProfile JWT project will be added so that the default suite of tests will be executed as part of our normal full test runs.

If additional scenarios are identified that require a test these will be added separatly to the WildFly testsuite.

Additional tests will be developed within QE.

Community Documentation

Within the community documentation the focus will cover the following topics.

  • Installation of the extension / subsystem.

  • The triggers to activate the MicroProfile JWT integration for a specific deployment.

  • The MicroProfile Config properties as defined in the MicroProfile JWT specification.

  • Additional MicroProfile Config properties as supported by SmallRye JWT.

An appropriate Quickstart will be handled under it’s own RFE, the Quickstart will be where a full end to end example is described.

Beyond this the MicroProfle JWT specification should be the definitive source of relevent information.

Release Note Content

Support has been added for the Eclipse MicroProfile JWT RBAC version 1.1.1 specification with the addition of a new subsystem microprofile-jwt-smallrye. Traditionally the security for deployments would depend on resources defined within the management model to access local or remote stores containing the definitions of the identities. MicroProfile JWT provides the abililty that with minimal configuration contained within a deployment for authenticated identities to be established from the contents of cryptographically signed JWT tokens received with each request.