potiuk commented on PR #321:
URL: 
https://github.com/apache/incubator-ponymail-foal/pull/321#issuecomment-4896064680

   > The tooling team is considering contributing the PAT and JWT bearer token 
code to `infratructure-asfquart`. I could see that as a helper function for 
token exchange on services. That way this type of useful api support can be 
commonly used. If it were contributed here then we have several risks.
   
   Understood - but also after discussion with @sebbASF inin 
https://github.com/apache/comdev/pull/23#issuecomment-4895033171 I realized 
that indeed - without the long term Oauth refresh token (which currenty Oauth 
provider does not have) - it would be impossible to refresh permissions of the 
user in case it changed during the long-term token time of live. The current 
solution properly works just in case the tokens are invalidated via API - and 
relying in Infa to make the call would be far too brittle. I also reviewed in 
detail the ASF Quart implementation and see that it uses directly LDAP access 
for authentication for that very reason.
   
   So .. While interesting idea, I am closing that one. Without "easy" way of 
implementing refreshing permissions, there are indeed some risks involved, that 
we should not neglect - and since it is only "convenience" for anyone who uses 
PonyMail (the current cookie-based access is good enough), it's not worth to 
have it.
   
   But it was great learning for me to understand how PonyMail and ASF Quart 
work internally - digging through the code and learning how things work might 
give you a contributor in the future, if I find other things worthy 
contributuion in either of them.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to