Can someone show me why it's so difficult to set up an OAuth2 provider with JWT tokens? If you want JWT tokens all the code is already here. Why is it so hard to just use it?
Answer:
Maybe it's not difficult but 1) it feels unnatural to do so and 2) it can be easier. Instead of using @EnableResourceServer and other setup I would like something much more easier like:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.jwt()
.loginUrl(new AntPathRequestMatcher("/api/login", "POST"))
.secret("my-super-duper-secret")
.claimsProvider(new MyClaimsProvider)
What you typically want set to for JWT is the login url (can be defaulted to /login), the secret and optionally some claimsProvider implementation. A default implementation should be provided out of the box adding the username and roles to the claims. This way it would be very easy to setup JWT in Spring Security.
With OAuth2 there is a "refresh token", so you put the onus on the client to keep the access token live, and the authorization server can check the user account every time it is refreshed. If you start worrying about that kind of problem (which you should) then you will end up implementing something that is getting pretty close to OAuth2, at which point you might say "why didn't we just use OAuth2 in the first place?" Do you see my point?
Isn't the use case described in this issue conceptually different from the OAuth2 case? Here we have a password as an input and JWT token as an output, and JWT token is then used for accessing the resources. The JWT profile for OAuth 2 spec specifies a different case, where a JWT token is an input to the token service and the access token is an output, and access token is then used for accessing the resources.
It will be good to have just simple JWT token base authentication without OAuth which is sometimes complicated for small projects.
https://github.com/spring-projects/spring-security-oauth/issues/368