[Pulp-dev] Pulp 3: using JWT to request a JWT

Brian Bouterse bbouters at redhat.com
Fri Dec 1 20:48:35 UTC 2017

+1 to just those use cases. Since we can rollback the change I updated the
MVP with this change:

I also added an explicit use case saying that basic auth can authenticate
to all urls. I think that got lost in the language revisions. It's also in
the diff ^.

Anyone feel free to suggest other changes or edit and send links with the

On Fri, Dec 1, 2017 at 2:47 PM, David Davis <daviddavis at redhat.com> wrote:

> I would just do:
> As a JWT authenticated user, I can refresh my JWT token if Pulp is
> configured with JWT_ALLOW_REFRESH set to True (default is False).
> Having two user stories means two separate items in redmine, and both of
> these user stories will probably be fixed in one commit/PR.
> David
> On Fri, Dec 1, 2017 at 2:30 PM, Brian Bouterse <bbouters at redhat.com>
> wrote:
>> +1 to using JWT_ALLOW_REFRESH as the name, I read the other name from
>> some other docs. +1 to adding a refresh token endpoint and some docs.
>> We need to update this area in the MVP which is currently in red. We
>> could replace the use case in red with:  "As an API user, I can
>> authenticate any API call with a JWT" and then add the following two use
>> cases:
>> As a JWT authenticated user, I can receive a new JWT if Pulp is
>> configured with JWT_ALLOW_REFRESH=True
>> As a Pulp administrator, my Pulp system disallows JWT renewal by default
>> What about these use case changes to the MVP to reflect this convo?
>> On Thu, Nov 30, 2017 at 5:46 PM, Jeremy Audet <jaudet at redhat.com> wrote:
>>> I think @misa's point is that if a valid token becomes compromised, it
>>>> could be renewed for a long-maybe-forever time.
>>>> I'm reading a desire to have Pulp exhibit both of these types of
>>>> behaviors, and both for good reasons. What if we introduce a setting
>>>> JWT_REFRESH. If enabled, JWT_REFRESH will allow you to receive a new JWT
>>>> when authenticating with an existing JWT. Defaults to False.
>>>> I'm picking False as the default on the idea that not renewing tokens
>>>> would be a more secure system by limiting access in more case than when
>>>> JWT_REFRESH is True. In the implementation, when JWT_REFRESH is set to True
>>>> it would fully disable the JWT_REFRESH_EXPIRATION_DELTA setting so that it
>>>> could be refreshed indefinitly. The user would never know about
>>> Being secure-by-default, with the option to do useful-but-dangerous
>>> things, is a great design approach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171201/ab3bac36/attachment.htm>

More information about the Pulp-dev mailing list