[Pulp-dev] Pulp3 - JWT Authorization Header

Brian Bouterse bbouters at redhat.com
Mon Oct 30 16:06:42 UTC 2017 

Thanks @daviddavis. That seems very straightforward.

I wrote this issue up here [0]. Please someone ask questions, send
ideas/concerns, or click groom.

[0]: https://pulp.plan.io/issues/3107

On Mon, Oct 30, 2017 at 11:53 AM, David Davis <daviddavis at redhat.com> wrote:

> I dug into this and it looks like it’s as easy as
> setting JWT_AUTH_HEADER_PREFIX to “Bearer”[0]. So +1 from me.
>
> http://getblimp.github.io/django-rest-framework-jwt/#additional-settings
>
>
> David
>
> On Mon, Oct 30, 2017 at 10:59 AM, Dennis Kliban <dkliban at redhat.com>
> wrote:
>
>> On Mon, Oct 30, 2017 at 10:55 AM, Brian Bouterse <bbouters at redhat.com>
>> wrote:
>>
>>> I think it would be ideal if we used 'Bearer: ' instead of 'JWT: '. If
>>> you use our docs, you'll be able to submit your JWT correctly. If you say
>>> 'oh I see Pulp uses JWT' and you follow the example in the official (I
>>> think?) JWT site [0] you'll submit a JWT to Pulp using those docs it won't
>>> work. This is also a problem in practice; I've heard of two separate
>>> occasions where JWT was thought to be broken because it was submitted
>>> 'Bearer: ' which Pulp wants 'JWT: '.
>>>
>>> The reasoning for the plugin to choose JWT over Bearer has to do with
>>> their goals of being able to be used side-by-side a OAuth2 *and* allow your
>>> auth types to be in any order. I don't think this affects Pulp because Pulp
>>> isn't supporting OAuth2 anytime soon if ever, and even if we do, I don't
>>> think that's a good reason to invent a new way to submit a JWT (which they
>>> did).
>>>
>>> I'm +1 to filing a story against Pulp to configure our usage of the
>>> plugin to have the JWT be submitted using 'Bearer: ' instead of 'JWT: '.
>>> Shall I file this? What do you all think?
>>>
>>>
>> +1 to this as well.
>>
>>
>>
>>> [0]: https://jwt.io/introduction/
>>>
>>> -Brian
>>>
>>>
>>> On Fri, Oct 27, 2017 at 9:03 AM, David Davis <daviddavis at redhat.com>
>>> wrote:
>>>
>>>> There was some discussion on the PR about this:
>>>>
>>>> https://github.com/pulp/pulp/pull/3109#discussion_r138202256
>>>>
>>>> Basically the package we’re using decided on JWT. See their reasoning
>>>> here:
>>>>
>>>> https://github.com/GetBlimp/django-rest-framework-jwt/pull/4
>>>>
>>>>
>>>> David
>>>>
>>>> On Fri, Oct 27, 2017 at 8:26 AM, Kersom Moura Oliveira <
>>>> kersom at redhat.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I noticed that JWT authorization header was adopted as the default one
>>>>> for Pulp3. [0]
>>>>>
>>>>> Also I read in a few places about Bearer authorization header,  as the
>>>>> typical one used for JWT.[1]
>>>>>
>>>>> Is there a specific reason to chose one over the other in Pulp3?
>>>>>
>>>>> Regards,
>>>>>
>>>>> [0] https://docs.pulpproject.org/en/3.0/nightly/integration_guid
>>>>> e/rest_api/authentication.html#using-a-token
>>>>> [1] https://jwt.io/introduction/
>>>>> [2] https://tools.ietf.org/html/rfc6750
>>>>> [3 ]https://tools.ietf.org/html/rfc7523
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Pulp-dev mailing list
>>>>> Pulp-dev at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Pulp-dev mailing list
>>>> Pulp-dev at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Pulp-dev mailing list
>>> Pulp-dev at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171030/9a944cf2/attachment.htm>

More information about the Pulp-dev mailing list