> > Jeremy, I don't think I understand your comment. > > You *will* have to use basic auth to refresh the token when the original > one expires. >
Right. I understand that. I'm not arguing that we allow the user to generate a valid JWT token using an expired, invalid JWT token. I'm arguing that we allow the user to generate a valid JWT token using an unexpired, valid JWT token. This allows use cases such as a client (web browser, CLI tool, etc) being able to re-authenticate itself without re-prompting the user for a username and password. This is especially relevant if the token expiration time is set to a short value, such as 15 minutes. So there are limitations to a JWT, and for good reasons. A JWT is a weaker > authenticator than a username+password because it expires. Because it is > timestamped, it reduces the risk of compromising your account if someone > sniffs the traffic. > If there's security concerns here, then that's important, and they should be weighted heavily. Note that there's an easy-to-use mechanism for invalidating a user's tokens. > Refreshing the token with a JWT seems marginally useful to me. >
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
