Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7916

Support local validation of OAuth2 JWT bearer tokens

    XMLWordPrintable

    Details

    • New Feature
    • Status: Dev backlog
    • Major
    • Resolution: Unresolved
    • 7.0.0
    • None
    • rest, security
    • None

      Description

      Server REST endpoints already support OAuth2 based authorization. In addition, OPENDJ-7858 is a proposal to support SASL-OAuth2 over LDAP. In both cases DS acts as an OAuth2 resource server and is responsible for validating OAuth2 bearer tokens, for which it uses an external OAuth2 authorization server's token introspection endpoint. Token introspection increases latency due to extra network round-trips, complexity due to caching and availability of the token introspection endpoint, and usually isn't necessary for OAuth2 JWT tokens.

      Acceptance criteria:

      This issue can be closed once DS supports local validation of OAuth2 JWT bearer tokens. The validation mechanism should not need to contact an external authorization service. Instead it should decrypt and verify the JWT using any secrets shared with the authorization service. It is assumed that the required secrets will have been distributed and made available via commons secrets. In other words, completion of this issue requires integration with commons secrets.

        Attachments

          Activity

            People

            Unassigned Unassigned
            matthew Matthew Swift
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated: