[Pulp-dev] Pulp 3: using JWT to request a JWT
Jeremy Audet
jaudet at redhat.com
Wed Nov 29 19:57:44 UTC 2017
>
> Jeremy, I don't think I understand your comment.
>
> You *will* have to use basic auth to refresh the token when the original
> one expires.
>
Right. I understand that. I'm not arguing that we allow the user to
generate a valid JWT token using an expired, invalid JWT token. I'm arguing
that we allow the user to generate a valid JWT token using an unexpired,
valid JWT token. This allows use cases such as a client (web browser, CLI
tool, etc) being able to re-authenticate itself without re-prompting the
user for a username and password. This is especially relevant if the token
expiration time is set to a short value, such as 15 minutes.
So there are limitations to a JWT, and for good reasons. A JWT is a weaker
> authenticator than a username+password because it expires. Because it is
> timestamped, it reduces the risk of compromising your account if someone
> sniffs the traffic.
>
If there's security concerns here, then that's important, and they should
be weighted heavily.
Note that there's an easy-to-use mechanism for invalidating a user's tokens.
> Refreshing the token with a JWT seems marginally useful to me.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171129/372d80f3/attachment.htm>
More information about the Pulp-dev
mailing list