[
https://issues.apache.org/jira/browse/USERGRID-1294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15410110#comment-15410110
]
Michael Russo commented on USERGRID-1294:
-----------------------------------------
We can look to add a /tokenvalidate endpoint which will do the 200 OK if the
token is valid and validate against supplied parameters of one or combination
of all username, UUID, email. Any mismatch would return an error status.
No plans for generating JWT tokens.
> Lightweight token validation for users and admins
> -------------------------------------------------
>
> Key: USERGRID-1294
> URL: https://issues.apache.org/jira/browse/USERGRID-1294
> Project: Usergrid
> Issue Type: Story
> Reporter: Marsh Gardiner
> Labels: groomed
>
> For both app and admin users, an endpoint should exist that allows a bearer
> token to be validated. It should include email address, username, and UUID of
> the user so that identity can be validated as well as the token. For extra
> credit, if the username/uuid/email were passed in as part of the validation
> claim, then Usergrid would check the user's record and only return a 200 if
> the supplied info matched (ignoring case).
> While it is possible to call `…/management/token` and `…/management/me`, both
> return a complex user object and are not appropriate for token validation
> given that they generate a new token every time, effectively decreasing the
> entropy with each validation call. (Also, this suggests that this GET request
> is non-idempotent as it changes the system state, even if that change is
> subtle.)
> Alternatively, if Usergrid tokens were self-signed in a way that could be
> independently validated (such as a JWT), that would provide some
> architectural benefits when using Usergrid as an identity service beyond pure
> BaaS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
