Yes, that's it :) François Papon [email protected]
Le 10/03/2019 à 10:49, Brian Demers a écrit : > The JWT as a Bearer token? Used with an Authorization header? > > -Brian > >> On Mar 10, 2019, at 12:00 AM, Francois Papon <[email protected]> >> wrote: >> >> Hi Brian, >> >> I'm thinking if it's possible to use JWT instead of cookie. >> >> I'm not sure that cookie is mandatory in api calls because an api can be >> call by a backend application or another api. >> >> François Papon >> [email protected] >> >>> Le 08/03/2019 à 18:40, Brian Demers a écrit : >>> Using a JWT as a auth token (bearer or otherwise) should be dependent on a >>> realm's implementation IMHO. >>> >>> Using a JWT as a session id direction is a different topic. In this case i >>> don't think it would provide any benefit (but i could be wrong or missing >>> something here) >>> The session id would be larger (more bits in the request/response >>> payloads), and on the server side you would still incur a session lookup >>> from storage. >>> Again, I might be misunderstanding your use-case. let me know >>> >>> >>> On Fri, Mar 8, 2019 at 1:23 AM Francois Papon <[email protected]> >>> wrote: >>> >>>> Yes, I'm agree about using the JWT for a remember me storage, especially >>>> for APIs in a distributed / cloud environment. >>>> >>>> For the session id, how can we match the JWT sent by the consumer with >>>> the session id? >>>> >>>> François Papon >>>> [email protected] >>>> >>>>> Le 07/03/2019 à 21:44, Brian Demers a écrit : >>>>> I would agree on the bearer token use cases, though that would likely be >>>>> dependent on a given realm (were to validate the bearer token) >>>>> >>>>> I'm not sure using a JWT as the session id would add much value. We >>>> would >>>>> still need to look up an existing session, so the session key would just >>>> be >>>>> bigger? >>>>> >>>>> I have been thinking about how we could use JWTs for a remember me >>>> storage, >>>>> which might be inline with what we are doing now. (just not sure if there >>>>> is a demand for it?) >>>>> >>>>> On Thu, Mar 7, 2019 at 12:10 PM Francois Papon < >>>> [email protected]> >>>>> wrote: >>>>> >>>>>> I think that the session cache manager is a very nice feature in Shiro >>>>>> and I was thinking about using the compact representation of JWT as the >>>>>> session id in the cache manager. >>>>>> >>>>>> This could be very usefull because we just have to decrypt the JWT on >>>>>> login and store the user profil in the cache manager. >>>>>> >>>>>> So after that, the calls will be only check in the cache without need to >>>>>> uncrypt the JWT. The session validate could also be managed by the >>>>>> session scheduler. >>>>>> >>>>>> I think it make sense for api calls for api gateway security policies >>>>>> for example. >>>>>> >>>>>> regards, >>>>>> >>>>>> François Papon >>>>>> [email protected] >>>>>> >>>>>>> Le 07/03/2019 à 00:15, Brian Demers a écrit : >>>>>>> What use cases are you thinking about targeting ? >>>>>>> >>>>>>> >>>>>>> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon < >>>>>> [email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi guys, >>>>>>>> >>>>>>>> I would like to start a thread about JWT. >>>>>>>> >>>>>>>> We already have a shiro-jaxrs module and I think it would be nice for >>>>>>>> Shiro to be able to use JWT. >>>>>>>> >>>>>>>> There is some existing implementations (Apache CXF JOSE, Apache >>>> Geronimo >>>>>>>> microprofile...) and for me it make sence to have an implementation of >>>>>>>> JWT in Shiro. >>>>>>>> >>>>>>>> Thoughts? >>>>>>>> >>>>>>>> regards, >>>>>>>> >>>>>>>> -- >>>>>>>> François Papon >>>>>>>> [email protected] >>>>>>>> >>>>>>>> >>>>>>>>
