Merge branch 'master' of https://github.com/eclipse/microprofile-jwt-…

…auth
eclipse · May 19, 2018 · 7226ed1 · 7226ed1
2 parents 1b73369 + db42d99
commit 7226ed1
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 12 deletions.
diff --git a/spec/src/main/asciidoc/configuration.asciidoc b/spec/src/main/asciidoc/configuration.asciidoc
@@ -353,15 +353,3 @@ more details.
 Parsing of the `InputStream` occurs as defined in <<Supported Public Key Formats>> and must
 return Public Key text in one of the supported formats.
 
-#### `mp.jwt.verify.issuer` (optional)
-
-The `mp.jwt.verify.issuer` config property allows for the expected value of the `iss`
-claim to be optionally specified.  When specified, the MicroProfile JWT implementation
-must verify the `iss` claim of incoming JWTs is present and matches the configured value
-of `mp.jwt.verify.issuer`.
-
-If the `mp.jwt.verify.issuer` config property has not been set, any issuer or none at all
-is allowed.
-
-NOTE: In most cases relying on the digital signature check via the Public Key alone is
-sufficient to establish trust.
diff --git a/spec/src/main/asciidoc/future-directions.asciidoc b/spec/src/main/asciidoc/future-directions.asciidoc
@@ -56,6 +56,24 @@ The "aud" claim defined in RFC 7519 section 4.1.3 was considered for addition.
 Though a "aud" claim is not required, implementations that support it and applications that use it should do so as
 detailed in this section to ensure alignment for any future standardization.
 
+### `mp.jwt.verify.issuer` configuration option
+
+Discussion of a standard configuration option for enabling the explicit checking of the
+issuer was discussed.  Discussion is still ongoing as to what the default behavior of
+the property should be if no explicit value is supplied.  The definition as last phrased
+is below.
+
+The `mp.jwt.verify.issuer` config property allows for the expected value of the `iss`
+claim to be optionally specified.  When specified, the MicroProfile JWT implementation
+must verify the `iss` claim of incoming JWTs is present and matches the configured value
+of `mp.jwt.verify.issuer`.
+
+If the `mp.jwt.verify.issuer` config property has not been set, any issuer or none at all
+is allowed.
+
+NOTE: In most cases relying on the digital signature check via the Public Key alone is
+sufficient to establish trust.
+
 ### `classpath:` URL Scheme
 
 The option to have a built-in `classpath:` URL Scheme was discussed with the intended