[Pulp-dev] Pulp 3: using JWT to request a JWT

Dennis Kliban dkliban at redhat.com
Wed Nov 29 11:29:41 UTC 2017 

On Tue, Nov 28, 2017 at 8:32 PM, David Davis <daviddavis at redhat.com> wrote:

> I’m not sure I fully understand this last paragraph about setting a
> maximum amount of time per token. Regardless, I would not add the ability
> to request new JWT tokens using JWT authentication in the MVP unless it’s
> easy to implement. I think we want that eventually but what we have today
> supports most of what users want or need from JWT auth.
>

The change I am proposing is just a configuration change in settings.py. We
need to set JWT_ALLOW_REFRESH to True and determine what we want the
default value for JWT_REFRESH_EXPIRATION_DELTA to be. The first will enable
the feature, the second will determine the length of time that can pass
from the creation of the very first token (using name and password) until
the user has to use the username and password again. In the time in
between, the user can use the JWT to get a new JWT.

More docs on this are here[0].


[0] https://getblimp.github.io/django-rest-framework-jwt/


>
> David
>
> On Tue, Nov 28, 2017 at 5:34 PM, Dennis Kliban <dkliban at redhat.com> wrote:
>
>> Our MVP doc currently states "As an API user, I can authenticate any API
>> call (except to request a JWT) with a JWT. (not certain if this should be
>> the behavior) [in progress]"
>>
>> The uncertainty was due to the "except to request a JWT" clause.
>>
>> I propose that Pulp 3 should support requesting a new JWT by using an
>> existing JWT. Automated systems that integrate with Pulp would benefit from
>> being able to renew tokens using an existing token.
>>
>> Enabling this feature with django-rest-framework-jwt requires also
>> selecting the maximum amount of time since original token was issued that
>> the token can be refreshed. The default is 7 days. Pulp users should be
>> able to supply this value. Thy should also be able to specify how long each
>> token is good for.
>>
>>
>> What do others think?
>>
>> _______________________________________________
>> Pulp-dev mailing list
>> Pulp-dev at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171129/4ed2ed0a/attachment.htm>

More information about the Pulp-dev mailing list