[Pulp-dev] Pulp3 - JWT Authorization Header

Brian Bouterse bbouters at redhat.com
Mon Oct 30 14:55:19 UTC 2017

I think it would be ideal if we used 'Bearer: ' instead of 'JWT: '. If you
use our docs, you'll be able to submit your JWT correctly. If you say 'oh I
see Pulp uses JWT' and you follow the example in the official (I think?)
JWT site [0] you'll submit a JWT to Pulp using those docs it won't work.
This is also a problem in practice; I've heard of two separate occasions
where JWT was thought to be broken because it was submitted 'Bearer: '
which Pulp wants 'JWT: '.

The reasoning for the plugin to choose JWT over Bearer has to do with their
goals of being able to be used side-by-side a OAuth2 *and* allow your auth
types to be in any order. I don't think this affects Pulp because Pulp
isn't supporting OAuth2 anytime soon if ever, and even if we do, I don't
think that's a good reason to invent a new way to submit a JWT (which they

I'm +1 to filing a story against Pulp to configure our usage of the plugin
to have the JWT be submitted using 'Bearer: ' instead of 'JWT: '. Shall I
file this? What do you all think?

[0]: https://jwt.io/introduction/


On Fri, Oct 27, 2017 at 9:03 AM, David Davis <daviddavis at redhat.com> wrote:

> There was some discussion on the PR about this:
> https://github.com/pulp/pulp/pull/3109#discussion_r138202256
> Basically the package we’re using decided on JWT. See their reasoning here:
> https://github.com/GetBlimp/django-rest-framework-jwt/pull/4
> David
> On Fri, Oct 27, 2017 at 8:26 AM, Kersom Moura Oliveira <kersom at redhat.com>
> wrote:
>> Hi,
>> I noticed that JWT authorization header was adopted as the default one
>> for Pulp3. [0]
>> Also I read in a few places about Bearer authorization header,  as the
>> typical one used for JWT.[1]
>> Is there a specific reason to chose one over the other in Pulp3?
>> Regards,
>> [0] https://docs.pulpproject.org/en/3.0/nightly/integration_guid
>> e/rest_api/authentication.html#using-a-token
>> [1] https://jwt.io/introduction/
>> [2] https://tools.ietf.org/html/rfc6750
>> [3 ]https://tools.ietf.org/html/rfc7523
>> _______________________________________________
>> Pulp-dev mailing list
>> Pulp-dev at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-dev
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171030/4c752a6f/attachment.htm>

More information about the Pulp-dev mailing list