Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-24734

Stateless Authentication based on a JSON Web Token (JWT)

    XMLWordPrintable

    Details

    • Tags:
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      There is a new Java API to acquire a JWT token to authorize a user:

      JWTService service = Framework.getService(JWTService.class);
String token = service.newBuilder().build();

      The builder can also be used to add specific claims in the token (only CLAIM_SUBJECT is meaningful to the authenticator for now) and a TTL.

      The token should then be propagated and passed by a third-party service wishing to connect to Nuxeo using the Authorization: Bearer <token> request header. As a compatibility fallback, the request query parameter access_token can also be used.

      IMPORTANT
      For the JWTService to work, all the cluster servers must be configured with a common shared secret in nuxeo.conf:

      nuxeo.jwt.secret=...
      Show
      There is a new Java API to acquire a JWT token to authorize a user: JWTService service = Framework.getService(JWTService.class); String token = service.newBuilder().build(); The builder can also be used to add specific claims in the token (only CLAIM_SUBJECT is meaningful to the authenticator for now) and a TTL. The token should then be propagated and passed by a third-party service wishing to connect to Nuxeo using the Authorization: Bearer <token> request header. As a compatibility fallback, the request query parameter access_token can also be used. IMPORTANT For the JWTService to work, all the cluster servers must be configured with a common shared secret in nuxeo.conf : nuxeo.jwt.secret=...
    • Sprint:
      nxFG 10.2.2, nxFG 10.2.3, nxFG 10.2.4, nxFG 10.2.5, nxFG 10.2.6, nxFG 10.2.7, nxFG 10.3.1
    • Story Points:
      5

      Description

      We want an authenticator similar to Token Auth but that doesn't store stateful information. It would be based on a server secret instead (either for HMAC or for asymmetric key based signature). The transport format would be JWT.

      The token would contain:

      • username
      • creation time (for expiration)

      This will be useful at least for the ARender connector, and for the WOPI integration.

        Attachments

          Issue Links

          depends on

          Bug - A problem which impairs or prevents the functions of the product. NXP-25337 Transform OAuth2 pre-filter into a regular Authentication plugin

          • Major - Major loss of function.
          • Resolved

          Task - A task that needs to be done. NXP-25142 Upgrade Jackson and Commons Codec

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. JAVACLIENT-166 Fix ITAuthentication.itCanLoginWithJWT test

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. JAVACLIENT-159 Create new interceptor for JWT authentication

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NEV-116 Use JWT for Arender connection to Nuxeo

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JAVACLIENT-196 Java Client v3.3 does not work with Java 7

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NXPY-215 Add support for the JSON Web Token authentication

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is required by

          New Feature - A new feature of the product, which has yet to be developed. NXP-25643 Make claims from JWT auth token available in the Principal

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Task - A task that needs to be done. NXP-25380 Use JWT for authentication between Office Online and Nuxeo

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 1 hour
                  2d 1h