I think it would be ideal if we used 'Bearer: ' instead of 'JWT: '. If you use our docs, you'll be able to submit your JWT correctly. If you say 'oh I see Pulp uses JWT' and you follow the example in the official (I think?) JWT site [0] you'll submit a JWT to Pulp using those docs it won't work. This is also a problem in practice; I've heard of two separate occasions where JWT was thought to be broken because it was submitted 'Bearer: ' which Pulp wants 'JWT: '.
The reasoning for the plugin to choose JWT over Bearer has to do with their goals of being able to be used side-by-side a OAuth2 *and* allow your auth types to be in any order. I don't think this affects Pulp because Pulp isn't supporting OAuth2 anytime soon if ever, and even if we do, I don't think that's a good reason to invent a new way to submit a JWT (which they did). I'm +1 to filing a story against Pulp to configure our usage of the plugin to have the JWT be submitted using 'Bearer: ' instead of 'JWT: '. Shall I file this? What do you all think? [0]: https://jwt.io/introduction/ -Brian On Fri, Oct 27, 2017 at 9:03 AM, David Davis <[email protected]> wrote: > There was some discussion on the PR about this: > > https://github.com/pulp/pulp/pull/3109#discussion_r138202256 > > Basically the package we’re using decided on JWT. See their reasoning here: > > https://github.com/GetBlimp/django-rest-framework-jwt/pull/4 > > > David > > On Fri, Oct 27, 2017 at 8:26 AM, Kersom Moura Oliveira <[email protected]> > wrote: > >> Hi, >> >> I noticed that JWT authorization header was adopted as the default one >> for Pulp3. [0] >> >> Also I read in a few places about Bearer authorization header, as the >> typical one used for JWT.[1] >> >> Is there a specific reason to chose one over the other in Pulp3? >> >> Regards, >> >> [0] https://docs.pulpproject.org/en/3.0/nightly/integration_guid >> e/rest_api/authentication.html#using-a-token >> [1] https://jwt.io/introduction/ >> [2] https://tools.ietf.org/html/rfc6750 >> [3 ]https://tools.ietf.org/html/rfc7523 >> >> >> _______________________________________________ >> Pulp-dev mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/pulp-dev >> >> > > _______________________________________________ > Pulp-dev mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pulp-dev > >
_______________________________________________ Pulp-dev mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-dev
