Monday, August 13, 2018

Thorntail Goes Total JOSE

JOSE is a set of modern security specifications developed by the best security experts in the industry. It has not always had the best press, with some weaknesses being identified. But it is still evolving, the JOSE libraries become more robust and it is always worth remembering that no ideal security specification exists, a given security mechanism always needs to be applied very carefully, with the support from the experts.

You may or may not be surprised but JOSE is nearly everywhere now. Many of  the current leading SSO providers use OIDC. They use ID and access tokens which are JOSE instances, JWT tokens, typically signed or even encrypted using the JOSE JWS and/or JOSE JWE mechanisms.

Thorntail has been OIDC/JOSE aware for a while. For a start it offers a comprehensive Keycloak integration which not only lets users easily secure their HTTP endpoints with the Keycloak adapters but also offers a pretty unique Keycloak Server integration which will be the topic of one of the next posts.

Next, Thorntail provided an integration with Microprofile JWT, the effort led by Red Hat. It offers an easy access to the individual claims inside a validated JWT token - often it is not enough for the endpoint to validate the token, it may need to make some application specific decisions based on the token content.

Finally, to complete the picture, Thorntail master now offers a support for the generic JOSE, for the users be able to experiment with protecting their data using all that JOSE offers today: signing and/or encrypting the arbitrary data, complete payloads or only their specific parts, using the Java JKS or JOSE JWK key stores.

The application code will be able to inject Jose and configure its properties in YAML files like this one. Currently both Apache CXF JOSE and Jose4J are being tested as Jose implementations. The CXF implementation is currently offered by default - it has proven itself in the production and it also supports JWS and JWE JSON formats , but please do not be concerned if you prefer a quality Jose4J library - we hope the users will show the interest in this feature over time and then we can easily offer a Jose4J option out of the box as well. 

Have a look at the demo please. It shows how JOSE can be used to sign the data in the detached mode. It is actually a very cool feature which is not well known due to JOSE being primarily used in the OIDC/OAuth2 space for now, as opposed to in the regular HTTP service communications. It allows to create a custom envelope where the data to be protected go alongside the signature. Yes, no need to come up with yet another specification to standardize on the envelope format, just choose whatever bean format you prefer, choose the data to be signed, and where the signature in this bean has to be collocated, it is so good.

So, here you go. Are you interested in the modern security ? If yes - see what Thorntail can do.