On Fri, Sep 11, 2015 at 5:50 PM, Klaus Trainer <[email protected]> wrote: > > On 09/10/2015 08:20 PM, Alexander Shorin wrote: >> Seems like there are no much options. >> >> I disagree that it's very poor. The only flaws it has is the lack of >> RSA support (our implementation) and open security issues (as auth >> protocol). But is there any good alternative? > > A good alternative would be to support JSON Web Token (JWT) [1]. > Somebody has already done some work for CouchDB 1.6. in this regard [2]. > They managed to outsource authentication to Auth0, while validating JWTs > issued by Auth0, and creating respective CouchDB sessions with username > and roles assigned from the JWT [3, 4]. > > In addition to what's been done in [2], I'd like CouchDB to be able to > issue JWTs as well, which then could also be used by other applications > for authentication and authorization. > > In contrast to OAuth 1.0a (which is implemented in CouchDB), JWT is > conceptionally much simpler. It is easy to set up on servers, and easy > to use for clients (e.g. in the browsers). > > Regarding implementing JWT in CouchDB: I'd like to volunteer and can > allocate time for that. > > What do you think about supporting JWT?
JWT is all good except one moment: it's not an alternative for OAuth (: And it's hard to say that it's simpler, especially in case of support of all the algorithms on browser side. WebCrypto is not a common thing yet. But I'm +1 for JWT support in anyway. It has own good use cases. P.S. Basically, CouchDB cookies are JWTs, except that payload isn't JSON, but binary Erlang term. -- ,,,^..^,,,
