Yeah!
It sounds very good ;)
I'm full agree, let's move forward first on the OAuth2 support!
thanks
François Papon
fpa...@apache.org
Le 11/03/2019 à 18:39, Brian Demers a écrit :
> For Bearer tokens (IMHO), we should treat it the same way we deal with
> Basic auth. Create an
For Bearer tokens (IMHO), we should treat it the same way we deal with
Basic auth. Create an AuthentcationToken based on the input, and let a
Realm implementation deal with it.
For minting the actual token, we start getting into the OAuth2 IdP
territory (once you start thinking about, validating
Yes, that's it :)
François Papon
fpa...@apache.org
Le 10/03/2019 à 10:49, Brian Demers a écrit :
> The JWT as a Bearer token? Used with an Authorization header?
>
> -Brian
>
>> On Mar 10, 2019, at 12:00 AM, Francois Papon
>> wrote:
>>
>> Hi Brian,
>>
>> I'm thinking if it's possible to use JWT
The JWT as a Bearer token? Used with an Authorization header?
-Brian
> On Mar 10, 2019, at 12:00 AM, Francois Papon
> wrote:
>
> Hi Brian,
>
> I'm thinking if it's possible to use JWT instead of cookie.
>
> I'm not sure that cookie is mandatory in api calls because an api can be
> call by a
Hi Brian,
I'm thinking if it's possible to use JWT instead of cookie.
I'm not sure that cookie is mandatory in api calls because an api can be
call by a backend application or another api.
François Papon
fpa...@apache.org
Le 08/03/2019 à 18:40, Brian Demers a écrit :
> Using a JWT as a auth
Using a JWT as a auth token (bearer or otherwise) should be dependent on a
realm's implementation IMHO.
Using a JWT as a session id direction is a different topic. In this case i
don't think it would provide any benefit (but i could be wrong or missing
something here)
The session id would be
Hi Les!
I'm agree, the purpose is not to re-invent the wheel, and thanks to have
created JJWT ;)
As JJWT is under Apache 2.0 license, I think we can use it in Shiro.
Do you have some time to work on this integration or make some proposal?
François Papon
fpa...@apache.org
Le 07/03/2019 à
Yes, I'm agree about using the JWT for a remember me storage, especially
for APIs in a distributed / cloud environment.
For the session id, how can we match the JWT sent by the consumer with
the session id?
François Papon
fpa...@apache.org
Le 07/03/2019 à 21:44, Brian Demers a écrit :
> I would
I agree, I don't think we want to take things like that if we don't need
to. We might not want to leak the JJWT interfaces in our APIs, but I would
much rather leverage an existing lib whenever possible
On Thu, Mar 7, 2019 at 12:39 PM Les Hazlewood wrote:
> Hi François!
>
> I see it a little
I would agree on the bearer token use cases, though that would likely be
dependent on a given realm (were to validate the bearer token)
I'm not sure using a JWT as the session id would add much value. We would
still need to look up an existing session, so the session key would just be
bigger?
I
Hi Les,
I take a look on JJWT and it's realy great ;)
But as Shiro is a security framework and already have a cryptography
module, I was hoping that we could have our own implementation.
regards,
François Papon
fpa...@apache.org
Le 07/03/2019 à 01:37, Les Hazlewood a écrit :
> What about jjwt
I think that the session cache manager is a very nice feature in Shiro
and I was thinking about using the compact representation of JWT as the
session id in the cache manager.
This could be very usefull because we just have to decrypt the JWT on
login and store the user profil in the cache
What about jjwt - would that work?
On Wed, Mar 6, 2019 at 3:15 PM Brian Demers wrote:
>
> What use cases are you thinking about targeting ?
>
>
> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon
> wrote:
>
> > Hi guys,
> >
> > I would like to start a thread about JWT.
> >
> > We already have a
What use cases are you thinking about targeting ?
On Wed, Mar 6, 2019 at 1:33 PM Francois Papon
wrote:
> Hi guys,
>
> I would like to start a thread about JWT.
>
> We already have a shiro-jaxrs module and I think it would be nice for
> Shiro to be able to use JWT.
>
> There is some existing
Hi guys,
I would like to start a thread about JWT.
We already have a shiro-jaxrs module and I think it would be nice for
Shiro to be able to use JWT.
There is some existing implementations (Apache CXF JOSE, Apache Geronimo
microprofile...) and for me it make sence to have an implementation of
15 matches
Mail list logo
