[Pulp-dev] Pulp 3: using JWT to request a JWT
David Davis
daviddavis at redhat.com
Thu Nov 30 20:08:25 UTC 2017
Your proposal is basically what we have today (except it’s called
JWT_ALLOW_REFRESH in django-rest-framework-jwt rather than JWT_REFRESH).
You can configure settings for django-rest-framework-jwt from the
server.yaml file [0] so users can turn on/off JWT_ALLOW_REFRESH. It
defaults to False.
The only thing we need to add is a refresh token endpoint (see [0]) and
some docs.
[0]
https://getblimp.github.io/django-rest-framework-jwt/#additional-settings
[1] https://getblimp.github.io/django-rest-framework-jwt/#refresh-token
David
On Thu, Nov 30, 2017 at 2:14 PM, Brian Bouterse <bbouters at redhat.com> wrote:
> I think @misa's point is that if a valid token becomes compromised, it
> could be renewed for a long-maybe-forever time.
>
> I'm reading a desire to have Pulp exhibit both of these types of
> behaviors, and both for good reasons. What if we introduce a setting
> JWT_REFRESH. If enabled, JWT_REFRESH will allow you to receive a new JWT
> when authenticating with an existing JWT. Defaults to False.
>
> I'm picking False as the default on the idea that not renewing tokens
> would be a more secure system by limiting access in more case than when
> JWT_REFRESH is True. In the implementation, when JWT_REFRESH is set to True
> it would fully disable the JWT_REFRESH_EXPIRATION_DELTA setting so that it
> could be refreshed indefinitly. The user would never know about
> JWT_REFRESH_EXPIRATION_DELTA.
>
>
>
> On Thu, Nov 30, 2017 at 12:21 PM, Jeremy Audet <jaudet at redhat.com> wrote:
>
>> Good points.
>>
>> > Another scenario: someone tcpdumps my traffic (yes, somehow they have
>> the SSL cert, work with this assumption for now). They can come back 3
>> days from now, browse the tcpdump output, and renew the token. That
>> would not be possible with a short-lived token and no renewal past
>> expiration.
>>
>> Renewal with expired tokens isn't being proposed. This is a straw man
>> argument.
>>
>
>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171130/322ab6d4/attachment.htm>
More information about the Pulp-dev
mailing list