[Pulp-dev] Pulp 3: using JWT to request a JWT
Jeremy Audet
jaudet at redhat.com
Thu Nov 30 22:46:10 UTC 2017
>
> I think @misa's point is that if a valid token becomes compromised, it
> could be renewed for a long-maybe-forever time.
>
> I'm reading a desire to have Pulp exhibit both of these types of
> behaviors, and both for good reasons. What if we introduce a setting
> JWT_REFRESH. If enabled, JWT_REFRESH will allow you to receive a new JWT
> when authenticating with an existing JWT. Defaults to False.
>
> I'm picking False as the default on the idea that not renewing tokens
> would be a more secure system by limiting access in more case than when
> JWT_REFRESH is True. In the implementation, when JWT_REFRESH is set to True
> it would fully disable the JWT_REFRESH_EXPIRATION_DELTA setting so that it
> could be refreshed indefinitly. The user would never know about
> JWT_REFRESH_EXPIRATION_DELTA.
Being secure-by-default, with the option to do useful-but-dangerous things,
is a great design approach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171130/b9f6ab3d/attachment.htm>
More information about the Pulp-dev
mailing list