By: Hans Zandbelt user 05 Jun 2019 at 12:03 p.m. CDT

3 Responses
Hans Zandbelt gravatar
I noticed that the GLUU server uses is own implementation of JOSE/JWT/JWE instead of relying on a 3rd-party (open source) library like jose4j or Nimbus. My question is if and how interoperability of the GLUU Server JOSE/JWT/JWE implementation has been tested against other implementations. Are there unit tests for the RFC samples? I am running into an interop issue with Cisco's cjose, that's why.

By Yuriy Zabrovarnyy staff 05 Jun 2019 at 1:11 p.m. CDT

Yuriy Zabrovarnyy gravatar
Actually our decryptor and encryptor rely on Nimbus since 3.1.6. Or to be more exact ``` <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> <version>6.3</version> ``` We started to move away from own implementation due to compatibility and ongoing corner cases which can consume a lot of time to cover correctly. We have cross test between nimbus, jose and gluu wrapper which shows generic compatibility. https://github.com/GluuFederation/oxAuth/blob/0a7d4dfcbd46bd4d678081de646fe8bd82a45dc7/Server/src/test/java/org/xdi/oxauth/comp/CrossEncryptionTest.java#L62 On what exactly issue did you run into? Thanks, Yuriy Z

By Hans Zandbelt user 05 Jun 2019 at 2:57 p.m. CDT

Hans Zandbelt gravatar
We're still figuring out if its a configuration issue (wrong key...) or a problem with cjose but I was just wondering about the GLUU side of things The cross-testing seems a good approach indeed, although one could argue there's a lot more variations and combinations of algorithms and ciphers that could be included in there. All good for now, thanks. I'll open a new issue if I pinpoint the problem down to GLUU's implementation of a particular alg/enc.

By William Lowe staff 06 Jun 2019 at 5:11 a.m. CDT

William Lowe gravatar
Thanks, Hans. Let us know what you find. Closing the ticket, but you can still post your findings here, or open a new ticket as needed.