Hi Brian, I'm thinking if it's possible to use JWT instead of cookie.
I'm not sure that cookie is mandatory in api calls because an api can be call by a backend application or another api. François Papon [email protected] Le 08/03/2019 à 18:40, Brian Demers a écrit : > Using a JWT as a auth token (bearer or otherwise) should be dependent on a > realm's implementation IMHO. > > Using a JWT as a session id direction is a different topic. In this case i > don't think it would provide any benefit (but i could be wrong or missing > something here) > The session id would be larger (more bits in the request/response > payloads), and on the server side you would still incur a session lookup > from storage. > Again, I might be misunderstanding your use-case. let me know > > > On Fri, Mar 8, 2019 at 1:23 AM Francois Papon <[email protected]> > wrote: > >> Yes, I'm agree about using the JWT for a remember me storage, especially >> for APIs in a distributed / cloud environment. >> >> For the session id, how can we match the JWT sent by the consumer with >> the session id? >> >> François Papon >> [email protected] >> >> Le 07/03/2019 à 21:44, Brian Demers a écrit : >>> I would agree on the bearer token use cases, though that would likely be >>> dependent on a given realm (were to validate the bearer token) >>> >>> I'm not sure using a JWT as the session id would add much value. We >> would >>> still need to look up an existing session, so the session key would just >> be >>> bigger? >>> >>> I have been thinking about how we could use JWTs for a remember me >> storage, >>> which might be inline with what we are doing now. (just not sure if there >>> is a demand for it?) >>> >>> On Thu, Mar 7, 2019 at 12:10 PM Francois Papon < >> [email protected]> >>> wrote: >>> >>>> I think that the session cache manager is a very nice feature in Shiro >>>> and I was thinking about using the compact representation of JWT as the >>>> session id in the cache manager. >>>> >>>> This could be very usefull because we just have to decrypt the JWT on >>>> login and store the user profil in the cache manager. >>>> >>>> So after that, the calls will be only check in the cache without need to >>>> uncrypt the JWT. The session validate could also be managed by the >>>> session scheduler. >>>> >>>> I think it make sense for api calls for api gateway security policies >>>> for example. >>>> >>>> regards, >>>> >>>> François Papon >>>> [email protected] >>>> >>>> Le 07/03/2019 à 00:15, Brian Demers a écrit : >>>>> What use cases are you thinking about targeting ? >>>>> >>>>> >>>>> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon < >>>> [email protected]> >>>>> wrote: >>>>> >>>>>> Hi guys, >>>>>> >>>>>> I would like to start a thread about JWT. >>>>>> >>>>>> We already have a shiro-jaxrs module and I think it would be nice for >>>>>> Shiro to be able to use JWT. >>>>>> >>>>>> There is some existing implementations (Apache CXF JOSE, Apache >> Geronimo >>>>>> microprofile...) and for me it make sence to have an implementation of >>>>>> JWT in Shiro. >>>>>> >>>>>> Thoughts? >>>>>> >>>>>> regards, >>>>>> >>>>>> -- >>>>>> François Papon >>>>>> [email protected] >>>>>> >>>>>> >>>>>> >>
