JWT Support

[Savrov]

Is your feature request related to a problem? Please describe.
Add JWT feature for AccessToken. It will be great for a case when I have an auth server where I validate user and data server, where I would like to get content by userId (which can be stored in JWT payload) and expireAt (from JWT's "iat").

Describe the solution you'd like
There will be an option to switch between UUID AccessToken and JWT AccessToken. All fields of AccessToken like "username", "clientId" can be stored inside JWT payload.

Describe alternatives you've considered
The only opportunity I've found to do it is to override AccessTokenConverter, and for field "accessToken" generate a JWT string.

[palmenhq]

Just as a reference it's totally possible to writ your own AccessTokenConverter. I'm experimenting with this and am making a PoC that solves this.

Edit:
Woops, didn't read through the issues properly hehe. I'll drop this link here anyways in case someone would care.

[adhesivee]

I will try to create JWT implementation for this. But I am not sure on how I would create particular things.
For example for the AccessTokenConverter it needs a JWT implementation like auth0, but I want to avoid to expose the library itself to much, so I need to abstract it somehow.
A good candidate is also to use JWT with is RefreshTokenConverter. This could then also store expiration for the refresh token.

[adhesivee]

I am trying to implement JWT here. The implementation is leaning strongly against the implementation of com.auth0:java-jwt.
JwtAccessTokenConverter and JwtRefreshTokenConverter will set:

• issued at
• expired at
• client_id
• scopes
• username (if available)

By using jwtConfiguration: (JWTCreator.Builder) -> JWTCreator.Builder it should still be possible to add claims/configuration yourself. An important thing is that the Algorithm has to be provided outside of these classes. For me it wouldn't make much sense to create something here. So it will look like:

Algorithm algorithm = Algorithm.HMAC256("secret")

val accessTokenConverter = JwtAccessTokenConverter(algorithm)

I need to build something to allow the implementor to remove the claims I set here. It could be the case they don't want to use this at all.
@Savrov Is this something you could use, or did you expect something else?