Hi guys, JSON web tokens are suitable for one time authentication between parties but they have important drawbacks if they are used as a session mechanism (how to store them, not possible to invalidate one...)
There is a nice article on this: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ Best wishes, Gregory 2016-07-13 13:19 GMT+02:00 Rishi Solanki <rishisolan...@gmail.com>: > Rahul, > > Thanks for detailed proposal, I gone thru all the details. No changes in > the current auth system, and achieving token based authentication looks a > good idea to me. > > Agree on all the details provided and will try to participate in the > reviewing the design/implementation. > > > +1. > > > Rishi Solanki > Manager, Enterprise Software Development > HotWax Systems Pvt. Ltd. > Direct: +91-9893287847 > http://www.hotwaxsystems.com > > On Mon, Jun 20, 2016 at 2:24 AM, Jacques Le Roux < > jacques.le.r...@les7arts.com> wrote: > > > We (I was then working with ilscipio) did something like that for a > > client, and I agree it's the way to go. > > > > I mean that I agree with "We are not going to implement the Token Based > > Authentication process at low level. Behind the scenes, we will be using > > the current work flow as is" > > > > Disclaimer: I did not look into all details. Also we planned to use > OpenId > > but eventually the Token Based Authentication we used was specific and > > proprietary to the client (this remembered me > > http://markmail.org/message/7vtjvjomneimspvl) > > > > Jacques > > > > > > > > Le 18/06/2016 à 15:01, Rahul Bhooteshwar a écrit : > > > >> Hello All, > >> Recently felt the need of Token Based Authentication process in Apache > >> OfBiz while using OfBiz's business process offerings with standalone > >> clients like Mobile Apps, Angular JS based apps running outside Apache > >> OfBiz etc. > >> > >> What currently we are having in OfBiz is session based authentication > >> process which is *stateful*. But while dealing with the independently > >> running remote clients stateful authentication is not gonna work as we > >> will > >> not be using *server-browser session* anymore in those cases. > >> > >> Following are the initial draft & supporting documents to proceed > further: > >> > >> - Token Based Authentication in Apache OfBiz > >> < > >> > https://docs.google.com/document/d/1xbpjNWGZp8B_79YJmPxmSJqkx7Qo_EI7u_PE0WNt3B4/edit#heading=h.g14rrmsoijiv > >> > > >> - Token Based Authentication > >> < > >> > https://docs.google.com/document/d/15QBV87vMD42QppCaHpxgcefcg_ac7HFeSQQnF_S50nk/edit#heading=h.mdriqalojfy4 > >> > > >> - JSON Web Tokens > >> < > >> > https://docs.google.com/document/d/1wLfv8h_Kkd4iHBxW4Gkx987Q7KBocWAGvss2p4N4fIM/edit > >> > > >> - IETF's (Internet Engineering Task Force) Documentation for JSON > Web > >> Tokens > >> < > >> > https://drive.google.com/file/d/0BzXOhs4-o0n9cHVGckgwUndsUGc/view?pref=2&pli=1 > >> > > >> > >> I would like to propose a requirement to implement this in OfBiz, & > invite > >> you all to provide valuable inputs to conclude the requirements & > >> implementation plans. > >> > >> Thanks and Regards > >> *Rahul Bhooteshwar* > >> Enterprise Software Engineer > >> HotWax Systems <http://www.hotwaxsystems.com/> - *Global leader in > >> innovative enterprise commerce solutions **powered by Apache OFBiz.* > >> > >> > > > -- Grégory Draperi
