[jira] [Commented] (OFBIZ-9833) Token Based Authentication

Sun, 14 Oct 2018 10:22:24 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-9833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16649467#comment-16649467
 ] 

Jacques Le Roux commented on OFBIZ-9833:
----------------------------------------

While reviewing things for OFBIZ-10307, I stumbled upon the "replay attacks" 
point in [https://stormpath.com/blog/jwt-the-right-way]. It says:
{quote}If you worried about replay attacks, include a nonce *(jti claim)*, 
expiration time (exp claim), and creation time (iat claim) in the claims. These 
are well defined in the JWT Spec.
{quote}
We already have exp and iat claim. We could add a jti claim using something 
similar to what is in ExternalLoginKeysManager::getExternalLoginKey. That would 
works as long as the same machine/session is used. But for a feature like 
OFBIZ-10307 (different sessions on differents servers on different domains) we 
can't put the externalKey in the externalLoginKeys. We can't even store it in 
the source DB, since the target DB may be different. So it's impossible to 
validate the JWT on the target machine, the jti being unique.

What we though could do is to use a non fixed jti claim (as types for 
JWTManager::validateToken) for (most) cases which, unlike for OFBIZ-10307, are 
handled with the same session on the same machine. Also maybe a solution 
OFBIZ-10307  for would be to have an acces to the DB on the target machine from 
the source machine. Here is an interesting discussion on this subject 
[https://stackoverflow.com/questions/28907831/how-to-use-jti-claim-in-a-jwt]

> Token Based Authentication
> --------------------------
>
>                 Key: OFBIZ-9833
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9833
>             Project: OFBiz
>          Issue Type: New Feature
>          Components: framework
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>            Priority: Major
>         Attachments: JSON Web Tokens.pdf, OFBIZ-9833-JWTManager.patch, Token 
> Based Authentication in Apache OfBiz.pdf, Token Based Authentication.pdf, 
> rfc7519.pdf
>
>
> Here is dev list discussion for token based authentication work:
> http://markmail.org/message/vyskeh2wujqpkbwg



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to