Skip to content

Consider renaming spring-security-jwt-jose #4595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rwinch opened this issue Sep 29, 2017 · 3 comments
Closed

Consider renaming spring-security-jwt-jose #4595

rwinch opened this issue Sep 29, 2017 · 3 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Milestone
5.0.0.RC1

Comments

@rwinch
Copy link
Member

rwinch commented Sep 29, 2017

Summary

Perhaps just spring-security-oauth2-jwt or spring-security-jwt or spring-security-jose or spring-security-oauth2-jose

If necessary we should also consider renaming packages to align with the new jar
@rwinch rwinch added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) Refactoring labels Sep 29, 2017
@rwinch rwinch added this to the 5.0.0.M5 milestone Sep 29, 2017
@rwinch rwinch modified the milestones: 5.0.0.M5, 5.0.0.RC1 Oct 3, 2017
@jgrandja jgrandja mentioned this issue Oct 10, 2017
Closed
28 tasks
@jgrandja
Copy link
Contributor

Although JWT claims are typically used within the payload of a JWS, it's not a requirement that a JWS contain JWT defined claims or be a JSON, as stated in Section 3.3 Example JWS

The UTF-8 representation of the following JSON object is used as the
JWS Payload. (Note that the payload can be any content and need not
be a representation of a JSON object.)

JWS represents digitally signed or MACed content using a JSON data structure but does not constrict it to be a JSON object only.

The same rules apply for a JWE - JWE represents encrypted content using JSON data structures.

I feel the current module name spring-security-jwt-jose is correct.

The package org.springframework.security.jwt defines JWT constructs and the JOSE framework constructs would be defined in:

org.springframework.security.jose.jws
org.springframework.security.jose.jwe
org.springframework.security.jose.jwa

@rwinch Does this make sense?

@rwinch
Copy link
Member Author

rwinch commented Oct 18, 2017

Without cryptography JOSE JWT is an abstract concept. JWT is really an encrypted or signed JWT which means it is part of JOSE or uses JOSE.

There is alg=none, but at this point you just have JSON and no security which means in a security framework we should probably not allow alg=none.

I don't like having a jar that is doing two different things. It should have a unified single purpose. So if it is a separate concept, I think we need to move to multiple jars (don't like that). If there is a single purpose already, the jar name should fit that (I think spring-security-oauth2-jose works).

@jgrandja
Copy link
Contributor

The main purpose of this module is for JWS and JWE. And given that we're only dealing with a signed JWT (JWS) or encrypted JWT (JWE) than JWT is redundant in the module name.

I'm good with the proposed spring-security-oauth2-jose module name.

thomasdarimont pushed a commit to thomasdarimont/spring-security that referenced this issue Apr 25, 2018
@jgrandja @thomasdarimont
spring-security-jwt-jose -> spring-security-oauth2-jose
b734649 
Fixes spring-projectsgh-4595
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
5.0.0.RC1
Development

No branches or pull requests
2 participants
@rwinch @jgrandja