Switch JWT library implementations

[peternied]

After reviewing the different libraries for constructing JWT authentication tokens, for the OnBehalfOf feature should use Nimbus JOSE + JWT

Exit Criteria

• Add a checkstyle rule to detect including references to org.apache.cxf.rs.security.jose
• Remove all references to org.apache.cxf.rs.security.jose [15] files impacted
• Replace all unfulfilled references with com.nimbusds.jose.* components
• Add backwards combability tests for any features that have previously shipped

Additional Context

• Prototype main...peternied:security:nimbus-jose-jwt

[stephen-crawford]

[Triage] This issue seems to have clearly outlined closure criteria and is the result of guidance around how to improve our overall security posture. We will need this to be backwards compatible so that the a token made with the CXF implementation can then go into the Nimbus version.

Given the prototype Peter made, this seems like something we can mark good first issue.

[MaciejMierzwa]

Started looking into it

[peternied]

Thanks @MaciejMierzwa for looking into this, I've marked this issue assigned to you. Please comment on this issue as you make progress or alternatively discussion can occur in a pull request.

[MaciejMierzwa]

Hi, here's the branch and draft PR I'm pushing my changes to: #3421
So far so good although there are more differences between library implementations then I hoped for. Also, I noticed that nimbus library doesn't accept shorter keys for signing JWT, seems like cxf was adding padding if secret key was too short, nimbus on the other hand forces user to use proper length secret (512 bits for HMAC512 etc)