Introduce mapping for claims

[jeanouii]

After creating a MP-JWT implementation in TomEE, I have done a small demo application using it so I could go and speed at conferences.

I found 2 things quite painful

• the 'aud' which is required and I'm not quite sure why
• the 'sub' which is also required.

Though I would be interesting in having details about why the 'aud' is required, I'd like to discuss here about the 'sub'.

The 'sub' claim is used to build the Subject so the security context can be used for all sort of things.
I understand the fact we need a name to build the subject but I don't get why we have introduced a new claim.

Most providers have already a claim with a name or something that can be used, so why adding another one?

I was wondering if now that we are working on configuration we could provide mapping for

• principal claim, aka the name which would be 'sub' for background compatibility reasons
• roles/groups claim - choose the name of the claim used to build up the list of role principals (it could be groups by default, but why not roles or scopes?)

[starksm64]

The potential difficulty will be with the scope of the mapping. Is it global, or does it need to be keyed off of some other claim like iss, or even a hash of the signer public key. Meaning, are there multiple MP-JWT issuers being seen in a given runtime implementation, or can the runtime microservices be reliably partitioned based on the MP-JWT issuer.

[starksm64]

Is there a Map<String, String> capability in MP Config? That would make this relatively easy to do. Otherwise, I guess we could just use a property prefix that allowed us to build this up from a set of properties.

[starksm64]

Let's get some usecases added so that we can start some TCK tests.

[sberyozkin]

@jeanouii aud is always good to check because without it there is no way for the service to check this token is indeed intended for this service. Which among other things opens an attack space where the bad intermediary forwards the token intended originally/only for it to the next target, etc.
We are bringing an option to let the users enforce the audience if they need to.

We can keep this issue open though to review how the Mappers can be introduced to map the role information when no groups is available