[Pulp-dev] Pulp 3: using JWT to request a JWT
Mihai Ibanescu
mihai.ibanescu at gmail.com
Wed Nov 29 18:31:13 UTC 2017
Jeremy, I don't think I understand your comment.
You *will* have to use basic auth to refresh the token when the original
one expires. So there are limitations to a JWT, and for good reasons. A JWT
is a weaker authenticator than a username+password because it expires.
Because it is timestamped, it reduces the risk of compromising your account
if someone sniffs the traffic.
Refreshing the token with a JWT seems marginally useful to me.
On Wed, Nov 29, 2017 at 1:02 PM, Jeremy Audet <jaudet at redhat.com> wrote:
> +1. I think one should be able to get a JWT with a JWT. This user
> experience:
>
> > I can authenticate any API call with a JWT token.
>
> ...is nicer than this user experience:
>
> > I can authenticate any API call with a JWT token. Oh, wait, exept
> getting a new JWT token. I wonder why? Is there some security risk here? I
> wonder if there's other API calls that also don't let me use JWT tokens?
> Perhaps I should use basic auth for all authentication?
>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171129/d71d48d4/attachment.htm>
More information about the Pulp-dev
mailing list