[
https://issues.apache.org/jira/browse/OFBIZ-9833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16410149#comment-16410149
]
Jacques Le Roux commented on OFBIZ-9833:
----------------------------------------
I understand what I did in this issue (back and forth) needs some clarification.
Actually I think now that I should have created another issue, though what I
did is closely related. What Deepak proposes with
[^OFBIZ-9833-JWTManager.patch] is a general way of handling JWT Token for
authentication and more. It seems it's so far only related with replacing the
current way of authenticating, with ExternalLoginKey or Tomcat SSO, on the same
domain. But AFAIK not to automatically jump signed in to another domain,
withouth passing by a third party, like the passport component does for
instance (and standards like SAML or OAuth2).
In my 1st comment here I wrote:
{quote}I have done something for a custom project and will try to generalise it
to include it in OFBiz. The goal is only to allow access to an external server
running also an OFBiz instance. This can be useful for case when you want to
access special features, like heavy report, etc.
So it's simple but the bright side is also that's it's simple. It's included
in OFBiz with very few changes and is totallly secure. Anyway I'll provide a
patch for review.
{quote}
What I missed to say then, is it's about different domains, and that's the
crucial point. So I will create another issue soon, because it's related (use
of JWT Token for authentication) but different.
So, what I did is an use of a JWT Token authentication to get from one domain,
where you are signed in, to another domain where you get signed in
automatically. Something like ExternalLoginKey or Tomcat SSO, but not on the
same domain.
I did it wrongly initially and I explained it above. I have now a working
solution, which is much more simple than the one I wrote initially. I was
confronted with few unexpected issues while doing it. "In my quest", I found
that sending a JWT token to authenticate on another domain is not something as
easy as I thought.
The piece which was totally wrong in my work was using a wrapper inside
ContextFilter and I have explained it above. I have now completly removed this
most problematic part with r1827441. The rest of what I commited and modified
since, I need and will use it with another patch in another Jira. So I'll not
revert that part. I'll though maybe sligthly modify again to share as much as
possible things with Deepak's work. For instance his createJwt is more general
than mine, but I have still to compare and check.
I hope this clarify and summarize the situation here. I have removed all what I
attached to clarify this Jira.
> Token Based Authentication
> --------------------------
>
> Key: OFBIZ-9833
> URL: https://issues.apache.org/jira/browse/OFBIZ-9833
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
> Reporter: Deepak Dixit
> Assignee: Deepak Dixit
> Priority: Major
> Attachments: JSON Web Tokens.pdf, OFBIZ-9833-JWTManager.patch, Token
> Based Authentication in Apache OfBiz.pdf, Token Based Authentication.pdf,
> rfc7519.pdf
>
>
> Here is dev list discussion for token based authentication work:
> http://markmail.org/message/vyskeh2wujqpkbwg
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
