Oauthlib: OAuth2 Server - JWT token support

Is this still being worked on?

@bigblind It was recently implemented.
However this issue should stay open until the JWT token RFC is finalized.

@thedrow If this has been implement, is there any documentation on how to use it? The RTD simply points here and nothing in the source code seems to jump out to me.

There is no documentation currently since the standard is not yet finalized.

Unless I'm mistaken it seems that the standard is finalized: https://tools.ietf.org/html/rfc7523

It is now a proposed standard which means it is being finalized. Unless something unexpected happens it will be finalized in the coming months. I think it's safe to say that we can start implementing it. Any volunteers?

Hi @thedrow, the jwt it's implemented, it's ok?, do you know if exists a django provider that use it?, thanks.

@Antherkiv The current implementation is according to the 4th draft of the specification. Someone needs to bring it up to speed with the current finalized specification.
I do not know any Django providers that use it.

There seems to be some confusion. I'm reading here that folks believe a _server_ has been implemented. I only see a client: ServiceApplicationClient. If a server has indeed been implemented, would someone point me to it?

@clintonb Seems like you're right. The server is not implemented.

Any work done on this?

I have no need for this feature for now so no.
If you need it, feel free to issue a PR.

We could definitely use this feature. Would this be useful for anyone else?

wait, isn't it already supported? the signed_token_generator uses jwt and you just need to pass this generator to Server ?

I guess I am not quite sure whether this issue is about using a JWT to request oauth2 access token, or generating JWT token as access_token, my previous comment was referring to the latter case...

I am deeply interested in making sure that JWT/RFC7519 support is added and would like to do whatever is needed to make sure this is added as soon as possible as it doesn't seem to be working.

This is my current personal and professional critical path.

1. How can I best help to make sure this is supported?
2. How can I best contribute?
3. If I did the work and made sure all the tests passed, is that all that is needed for the PR to be accepted?
4. I noticed other pending changes that deal with JWT's that are not jet merged in; are they missing something I need to be aware of to get my own PR in?

I didn't see a "contributors guide" checked into the source; so asking here as my current need is highly targeted to JWT and the docs all say to track this here.

It looks based on initial research that JWT support may simply be all about the implementation of RequestValidator used, as well as the injection of 2 methods for token creation.

If not, is that at least the current goal of the oauthlib architecture?

From a quick glance through the code it appears that #488 has added most/all of the hook points that would be needed to generate and validate JWT tokens. (Untested mind, but it looks promising)

Biggest issue is adding testing to be sure that if a hook is not used somehow, it doesn't bite us like past merges have.

We should require positive and negative test bases as part of future merges.

Update: The initial issue presented by this issue is incorrect and out of date as the link that is linked to is no longer valid and has been preceded by the RFC's and so the OP link will need to be edited to reflect that to mitigate confusion @ib-lundgren as you are now linking to old data.

The correct RFC's:

• https://tools.ietf.org/html/rfc7159 - Core JWT RFC
• https://tools.ietf.org/html/rfc7523 - JWT Usage with OAuth2

Closing this longstanding issue which was initially discussing about JWT Profile for client authentication and authorization grants (see Docs/Grants/JWT), but diverged to JWT Tokens, which is currently implemented (see how to use JWT tokens at Docs/Tokens/Bearer-JWT).

Re-open a new issue if anyone want to implement JWT Profile for client authentication and authorization grants aka RFC7523