| 22 Mar 2021 |
 jzheaux (Josh Cummings) | There is some discussion on that ticket about configuring Spring Security for Apple login. | 20:18:22 |
 willladislaw (willladislaw) | Does it work? | 20:18:55 |
| jzheaux (Josh Cummings) | Those posting to the ticket say so. I haven't tried it myself, but I was reminded of that ticket when you asked the question. | 20:22:48 |
| willladislaw (willladislaw) | awesome | 20:23:01 |
| 23 Mar 2021 |
 eleftherias (Eleftheria Stein-Kousathana) | I suspect this is relate to the Samesite attribute on the session cookie. Check out this Spring Session issue spring-projects/spring-session#1577 | 08:04:14 |
| 24 Mar 2021 |
|  nightswimmings (nightswimmings) joined the room. | 22:23:20 |
| nightswimmings (nightswimmings) | What is the preferred library for reading JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). | 22:23:20 |
| nightswimmings (nightswimmings) | * What is the preferred library for validating JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). I feel like a library like that should come built-in, and even autoconfigured so maybe auth0/java-jwt would be the default implementation if the other are not on classpath, provided it seems like the one designed from experts with security in mind, and the widest used with a quickly google search, but I am not proficient on this so I would like to understand the reasons behind | 22:26:50 |
| nightswimmings (nightswimmings) | * What is the preferred library for validating JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). I feel like a library like that should come built-in, and even autoconfigured so maybe auth0/java-jwt would be the default implementation if the other are not on classpath, provided it seems like the one designed from experts with security in mind, and the widest used with a quickly google search, but I am not proficient on this so I would like to understand the reasons behind current distribution | 22:27:39 |
| 25 Mar 2021 |
| willladislaw (willladislaw) | Redacted or Malformed Event | 07:08:39 |
| willladislaw (willladislaw) | Redacted or Malformed Event | 10:04:28 |
| nightswimmings (nightswimmings) | Another question, sorry. What is the difference between annotating a WebSecurityConfigurerAdapter with @Configuration or the concrete @EnableWebSecurity? (I assume because of my tests that without any of those the adapter does not work) | 21:34:46 |
| nightswimmings (nightswimmings) | I @EnableWebSecurity implicit in Spring Boot, perhaps? | 21:39:12 |
| 29 Mar 2021 |
| jzheaux (Josh Cummings) | Spring Security uses the Nimbus JWT library. | 19:18:56 |
| nightswimmings (nightswimmings) | * What is the preferred library for validating JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). I feel like a library like that should come built-in, and even autoconfigured so maybe auth0/java-jwt would be the default implementation if the other are not on classpath, provided it seems like the one designed from experts with security in mind, and the widest used with a quickly google search, but I am not proficient on this so I would like to understand the reasons behind current distribution | 19:18:56 |
| nightswimmings (nightswimmings) | * What is the preferred library for validating JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). I feel like a library like that should come built-in, and even autoconfigured so maybe auth0/java-jwt would be the default implementation if the other are not on classpath, provided it seems like the one designed from experts with security in mind, and the widest used with a quickly google search, but I am not proficient on this so I would like to understand the reasons behind current distribution | 19:19:22 |
| jzheaux (Josh Cummings) | https://bitbucket.org/connect2id/nimbus-jose-jwt | 19:19:22 |
| jzheaux (Josh Cummings) | I believe if you bring in spring-boot-starter-oauth2-resource-server, then it brings in the Nimbus dependency automatically. | 19:20:37 |
| nightswimmings (nightswimmings) | * What is the preferred library for validating JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). I feel like a library like that should come built-in, and even autoconfigured so maybe auth0/java-jwt would be the default implementation if the other are not on classpath, provided it seems like the one designed from experts with security in mind, and the widest used with a quickly google search, but I am not proficient on this so I would like to understand the reasons behind current distribution | 19:20:37 |
| nightswimmings (nightswimmings) | * What is the preferred library for validating JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). I feel like a library like that should come built-in, and even autoconfigured so maybe auth0/java-jwt would be the default implementation if the other are not on classpath, provided it seems like the one designed from experts with security in mind, and the widest used with a quickly google search, but I am not proficient on this so I would like to understand the reasons behind current distribution | 19:20:57 |
| jzheaux (Josh Cummings) | Though, perhaps I'm not understanding your question about why it's not in "core". | 19:20:58 |
| nightswimmings (nightswimmings) | * What is the preferred library for validating JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). I feel like a library like that should come built-in, and even autoconfigured so maybe auth0/java-jwt would be the default implementation if the other are not on classpath, provided it seems like the one designed from experts with security in mind, and the widest used with a quickly google search, but I am not proficient on this so I would like to understand the reasons behind current distribution | 19:24:12 |
| jzheaux (Josh Cummings) | For JWT without OAuth, please take a look at https://github.com/spring-projects/spring-security-samples/tree/master/servlet/spring-boot/java/jwt/login - Spring Security does not ship with any first-class support for standalone JWT authentication. | 19:24:12 |
| nightswimmings (nightswimmings) | * What is the preferred library for validating JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). I feel like a library like that should come built-in, and even autoconfigured so maybe auth0/java-jwt would be the default implementation if the other are not on classpath, provided it seems like the one designed from experts with security in mind, and the widest used with a quickly google search, but I am not proficient on this so I would like to understand the reasons behind current distribution | 19:25:16 |
| jzheaux (Josh Cummings) | I'm not clear on your last question. We like Nimbus because it has the most mature JWT and OAuth 2.0 feature set. | 19:25:16 |
| jzheaux (Josh Cummings) | Spring Boot includes the @EnableWebSecurity annotation for you. See Boot's SecurityAutoConfiguration class for details. | 19:27:24 |
| jzheaux (Josh Cummings) | @EnableWebSecurity imports several configuration files that are necessary for publishing the HttpSecurity that you configure and adding it to the servlet context. It's necessary for Java-config-based Spring Security. | 19:29:30 |
| jzheaux (Josh Cummings) | * @EnableWebSecurity imports several configuration files that are necessary for publishing the HttpSecuritys that you configure and adding it to the servlet context. It's necessary for Java-config-based Spring Security. | 19:29:47 |
| nightswimmings (nightswimmings) | Hi Josh! Thanks a lot for the answers! This implementation claims it's the safest: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/, and looks like nimbus has a limited feature matrix compared to the other two: https://jwt.io/?_ga=2.13386935.1666795886.1617054942-664114383.1616610627 | 22:00:36 |
| nightswimmings (nightswimmings) | * What is the preferred library for validating JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). I feel like a library like that should come built-in, and even autoconfigured so maybe auth0/java-jwt would be the default implementation if the other are not on classpath, provided it seems like the one designed from experts with security in mind, and the widest used with a quickly google search, but I am not proficient on this so I would like to understand the reasons behind current distribution | 22:00:36 |
