Raggugga opened a new issue #3836: URL: https://github.com/apache/couchdb/issues/3836
## Summary Right now it seems that even if I'm sending a valid JWT along with a POST /_session request, CouchDB still requires a user name in the body in order to issue a session cookie. But in this case it could very well create a session cookie and hand it back to the client. ## Desired Behaviour By supporting JWT authentication on a POST /_session request, the JWT could be sent only once by the client and then a session cookie used subsequently for data exchange. ## Additional context There seems to be a growing number of people being concerned about JWTs being used as session tokens by sending them repeatedly, while they're really only intended to be used as login credentials. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
