Details
-
Task
-
Resolution: Unresolved
-
P2: Important
-
None
-
6.9.0 FF
-
None
-
All
-
25
-
Foundation PM Staging
Description
QTBUG-124334 adds support into QtNetworkAuth module to acquire OpenID Connect ID Tokens. These tokens are in more generic JSON Web Token / JWT format. In OpenID Connect use cases, these tokens must always be additionally signed with JSON Web Signature / JWS. Furthermore these tokens may additionally be encrypted and enclosed within a JSON Web Encryption / JWE.
OpenID Connect model makes it mandatory for a client to verify the token it has received. The 'client' in Qt use cases is the client application (which in itself can be also a server, but for the purposes of OIDC, it is still a client).
Verifying the token can be split roughly in parts:
0) Decrypting the JWE if needed
1) Verifying that the signature is valid
2) Verifying applicable payload fields of the token (such as 'issuer', 'audience' and 'nonce')
This task is about supporting JWT token verification in OIDC context in particular.
This task has a dependency on research spike item: QTBUG-124334, which researches how to do the cryptographic operations. One potential outcome of this item is a QJsonWebToken class, but we shouldn't limit ourselves yet to that. That class would be able to verify the received raw token. This item doesn't include the ability create such tokens, but we also need to make sure making such addition in the future remains feasible.
An additional use case for the new class / mechanism could be to use it as a validator in the Qt OAuth2 flow. User could set the validating object into the QAbstractOAuth2 class, which would automatically validate the received object and report token error or success accordingly.
Attachments
Issue Links
- depends on
-
-
- Reported
-