HI Gregory,
If I'm not mistaken (I'll not do it) the idea is indeed to use tokens for one time authentication, but to then use OFBiz current work flow for the
rest (ie handling sessions)
Quoting below: "Behind the scenes, we will be using the current work flow as is"
This is also what we did with the project I spoke about.
Thanks for the article!
Jacques
Le 22/07/2016 à 15:53, gregory draperi a écrit :
Hi guys,
JSON web tokens are suitable for one time authentication between parties
but they have important drawbacks if they are used as a session mechanism
(how to store them, not possible to invalidate one...)
There is a nice article on this:
http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
Best wishes,
Gregory
2016-07-13 13:19 GMT+02:00 Rishi Solanki <[email protected]>:
Rahul,
Thanks for detailed proposal, I gone thru all the details. No changes in
the current auth system, and achieving token based authentication looks a
good idea to me.
Agree on all the details provided and will try to participate in the
reviewing the design/implementation.
+1.
Rishi Solanki
Manager, Enterprise Software Development
HotWax Systems Pvt. Ltd.
Direct: +91-9893287847
http://www.hotwaxsystems.com
On Mon, Jun 20, 2016 at 2:24 AM, Jacques Le Roux <
[email protected]> wrote:
We (I was then working with ilscipio) did something like that for a
client, and I agree it's the way to go.
I mean that I agree with "We are not going to implement the Token Based
Authentication process at low level. Behind the scenes, we will be using
the current work flow as is"
Disclaimer: I did not look into all details. Also we planned to use
OpenId
but eventually the Token Based Authentication we used was specific and
proprietary to the client (this remembered me
http://markmail.org/message/7vtjvjomneimspvl)
Jacques
Le 18/06/2016 à 15:01, Rahul Bhooteshwar a écrit :
Hello All,
Recently felt the need of Token Based Authentication process in Apache
OfBiz while using OfBiz's business process offerings with standalone
clients like Mobile Apps, Angular JS based apps running outside Apache
OfBiz etc.
What currently we are having in OfBiz is session based authentication
process which is *stateful*. But while dealing with the independently
running remote clients stateful authentication is not gonna work as we
will
not be using *server-browser session* anymore in those cases.
Following are the initial draft & supporting documents to proceed
further:
- Token Based Authentication in Apache OfBiz
<
https://docs.google.com/document/d/1xbpjNWGZp8B_79YJmPxmSJqkx7Qo_EI7u_PE0WNt3B4/edit#heading=h.g14rrmsoijiv
- Token Based Authentication
<
https://docs.google.com/document/d/15QBV87vMD42QppCaHpxgcefcg_ac7HFeSQQnF_S50nk/edit#heading=h.mdriqalojfy4
- JSON Web Tokens
<
https://docs.google.com/document/d/1wLfv8h_Kkd4iHBxW4Gkx987Q7KBocWAGvss2p4N4fIM/edit
- IETF's (Internet Engineering Task Force) Documentation for JSON
Web
Tokens
<
https://drive.google.com/file/d/0BzXOhs4-o0n9cHVGckgwUndsUGc/view?pref=2&pli=1
I would like to propose a requirement to implement this in OfBiz, &
invite
you all to provide valuable inputs to conclude the requirements &
implementation plans.
Thanks and Regards
*Rahul Bhooteshwar*
Enterprise Software Engineer
HotWax Systems <http://www.hotwaxsystems.com/> - *Global leader in
innovative enterprise commerce solutions **powered by Apache OFBiz.*
