[Pulp-dev] Pulp 3: using JWT to request a JWT
jaudet at redhat.com
Wed Nov 29 19:57:44 UTC 2017
> Jeremy, I don't think I understand your comment.
> You *will* have to use basic auth to refresh the token when the original
> one expires.
Right. I understand that. I'm not arguing that we allow the user to
generate a valid JWT token using an expired, invalid JWT token. I'm arguing
that we allow the user to generate a valid JWT token using an unexpired,
valid JWT token. This allows use cases such as a client (web browser, CLI
tool, etc) being able to re-authenticate itself without re-prompting the
user for a username and password. This is especially relevant if the token
expiration time is set to a short value, such as 15 minutes.
So there are limitations to a JWT, and for good reasons. A JWT is a weaker
> authenticator than a username+password because it expires. Because it is
> timestamped, it reduces the risk of compromising your account if someone
> sniffs the traffic.
If there's security concerns here, then that's important, and they should
be weighted heavily.
Note that there's an easy-to-use mechanism for invalidating a user's tokens.
> Refreshing the token with a JWT seems marginally useful to me.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pulp-dev