[
https://issues.apache.org/jira/browse/USERGRID-1294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Russo updated USERGRID-1294:
------------------------------------
Labels: groomed (was: )
> Lightweight token validation for users and admins
> -------------------------------------------------
>
> Key: USERGRID-1294
> URL: https://issues.apache.org/jira/browse/USERGRID-1294
> Project: Usergrid
> Issue Type: Story
> Reporter: Marsh Gardiner
> Labels: groomed
>
> For both app and admin users, an endpoint should exist that allows a bearer
> token to be validated. It should include email address, username, and UUID of
> the user so that identity can be validated as well as the token. For extra
> credit, if the username/uuid/email were passed in as part of the validation
> claim, then Usergrid would check the user's record and only return a 200 if
> the supplied info matched (ignoring case).
> While it is possible to call `…/management/token` and `…/management/me`, both
> return a complex user object and are not appropriate for token validation
> given that they generate a new token every time, effectively decreasing the
> entropy with each validation call. (Also, this suggests that this GET request
> is non-idempotent as it changes the system state, even if that change is
> subtle.)
> Alternatively, if Usergrid tokens were self-signed in a way that could be
> independently validated (such as a JWT), that would provide some
> architectural benefits when using Usergrid as an identity service beyond pure
> BaaS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
