<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
We do have an issue to support this grant type, but no immediate
plans:<br>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/616">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/616</a><br>
<a class="moz-txt-link-freetext" href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/411">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/411</a><br>
<br>
The correct way to implement this is not to coopt the Authorization
Code flow but rather to implement a new handler for it specifically.
What you're doing right now is very off-spec, and I wouldn't
recommend it. We've got the hooks in place for supporting the
assertion processing (see the above issues) but we don't yet have
all the processing to do it.<br>
<br>
We'd be happy to take a pull request to add this functionality,
assuming that it didn't break any of the other grant types.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 7/30/2015 3:46 PM, Luiz Omori wrote:<br>
</div>
<blockquote cite="mid:D1DFF74C.2005%25luiz.omori@dm.duke.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif;
font-size: 14px;">
Hi,</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif;
font-size: 14px;">
<br>
</div>
<div style="widows: 1;"><font face="Calibri,sans-serif">We have an
use case for exchanging a JWT by an access_token, exactly how
is described by JSON Web Token (JWT) Profile for OAuth 2.0
Client Authentication and Authorization Grants (</font><a
moz-do-not-send="true"
href="http://tools.ietf.org/html/rfc7523" style="color: rgb(0,
0, 0); font-family: Calibri, sans-serif; font-size: 14px;"><a class="moz-txt-link-freetext" href="http://tools.ietf.org/html/rfc7523">http://tools.ietf.org/html/rfc7523</a></a><font
face="Calibri,sans-serif">). Basically SSO for us. We did some
prototyping replacing the defaultOAuth2AuthorizationCode by a
class that extends it and also recognizes trusted JWTs
(consumerAuthorizationCode). The parameters necessary to
create an OAuthAuthentication object are coming from from the
trusted JWT and application registration DB. This appears to
be working as expected, the only thing is that the grant_type
has to be “code” instead of </font><span style="color: rgb(0,
0, 0); font-family: Calibri, sans-serif; widows: 1;">"urn:ietf:params:oauth:grant-</span><span
style="widows: 1;"><font face="Calibri,sans-serif">type:jwt-bearer”
as defined in the RFC for this flow. </font></span></div>
<div style="widows: 1;"><span style="widows: 1;"><font
face="Calibri,sans-serif"><br>
</font></span></div>
<div style="widows: 1;"><span style="widows: 1;"><font
face="Calibri,sans-serif">Thoughts? Any plans to support
this grant type?</font></span></div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif;"><br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif;">Regards,</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif;
font-size: 14px;">
Luiz</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
mitreid-connect mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>
<a class="moz-txt-link-freetext" href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a>
</pre>
</blockquote>
<br>
</body>
</html>