Add support for RFC 7516 JWE in spring-security-jwt

[paskos]

It would be nice if spring-security-jwt provided RFC 7516 json web encryption on top of jwt. A la nimbus-jose-jwt

[georgespalding]

How about writing a spring wrapper for nimbus-jose-jwt?
Implement a public class NimbusJwtAccessTokenConverter implements TokenEnhancer, AccessTokenConverter ... that is parallel to the existing JwtAccessTokenConverter

Could It be implemented in the spring-security-oauth/spring-security-oauth2 module as an alternative to spring-security-jwt with the nimbus-jose-jwt (License ASF2) dependency as optional?

[william-tran]

I like the idea of wrapping an existing lib, here's another one:
https://bitbucket.org/b_c/jose4j/wiki/Home

On Thu, Oct 8, 2015 at 2:52 PM, George Spalding [email protected]
wrote:

How about writing a spring wrapper for nimbus-jose-jwt?
Implement a public class NimbusJwtAccessTokenConverter implements
TokenEnhancer, AccessTokenConverter ... that is parallel to the existing
JwtAccessTokenConverter

Could It be hosted in the spring-security-jwt with the nimbus-jose-jwt
dependency as optional?

—
Reply to this email directly or view it on GitHub
#575 (comment)
.

[georgespalding]

I set up a sonar instance to do a quick (rather un-scientific) static analysis of the two projects.
Looks like nimbus comes out as a winner there

Nimbus commit: 97902155b45833ee9d604b0ef0d0c4759b1432db
Jose4J commit: e4ca546a19e775cdde16c98d8e23e793ac76a482

metric	Nimbus JOSE+JWT 4.3-SNAPSHOT	jose4j 0.4.5-SNAPSHOT
Lines of code	8,788	9,397
Complexity	2,226	1,902
Comments (%)	42.5%	10.1%
Duplicated lines (%)	6.0%	1.2%
Issues	412	489
Coverage	82.3%	74.1%
Complexity /class	14.2	10.7
Complexity /function	3.0	2.2
Complexity /file	14.8	14.1
Public documented API (%)	99.7%	26.6%
Public undocumented API	2	580
Package tangle index	4.9%	17.8%
Package cycles	3	22
Duplicated blocks	32	13

[slem1]

Hi, for info I found some incompatibility at runtime between spring-boot-test in web environment and nimbus JOSE due to the following shared dependency :

<groupId>net.minidev</groupId>      
<artifactId>json-smart</artifactId>

Caused by: java.lang.ClassNotFoundException: net.minidev.json.writer.JsonReaderI

Seems like nimbus JOSE use a too old version (1.3.1) in respect of Spring-test (2.2.1). Forcing 2.2.1 seems to work fine with JOSE in my case, but it would be nice if the nimbus team could upgrade this dependency.

[aisven]

It would be nice to get this so that OAuth2 via Spring can be used in a safer manner in scenarios with high security requirements. It is generally not a bad idea to hide token content from attackers, especially when there is a lot of content in (almost or fully) self-contained tokens, that without encryption leak information about functional areas, roles, rights, internal entity IDs, etc.

[hbauswdit]

Hi is this feature in any backlog now?... we are going to use nimbus to customize the jwt converter as we really need JWE working....

[jgrandja]

We are not adding any new features to this project as it's in maintenance mode. Our efforts our focused in building out the new OAuth support in Spring Security 5.x. JWE support will be added to Spring Security 5.x.