Hey folks I'm working on the token signing/verification stuff at the moment. Curious to solicit some opinions on this:
message TokenPB { // The actual token contents. This is typically a serialized // protobuf of its own. However, we use a 'bytes' field, since // protobuf doesn't guarantee that if two implementations serialize // a protobuf, they'll necessary get bytewise identical results, // particularly in the presence of unknown fields. optional bytes token_contents = 1; // The cryptographic signature of 'token_contents'. optional bytes signature = 2; // The sequence number of the key which produced 'signature'. optional int64_t signing_key_seq_num = 3; }; The thing that's currently missing is an expiration timestamp of the signature. I have two options here: *Option A*) say that the TokenPB itself doesn't capture expiration, and if a particular type of token needs expiration, it would have to put an 'expiration time' in its token contents itself. *pros:* - token signing/verification is just a simple operation on the 'token_contents' string *Cons:* - would likely end up with redundant code between AuthN and AuthZ tokens, both of which need expiration. However, that code isn't very complicated (just a timestamp comparison) so maybe not a big deal? *Option B)* add an expiration timestamp field to TokenPB *pros:* - consolidate the expiration checking code into TokenVerifier *cons:* - now in order to sign/verify a token, we actually need to be signing something like a concatenation of 'token_contents + signature'. Not too hard to construct this concatenation, but it does add some complexity. Any strong opinions either way? -Todd -- Todd Lipcon Software Engineer, Cloudera