Marsh Gardiner created USERGRID-1294:
----------------------------------------
Summary: Lightweight token validation for users and admins
Key: USERGRID-1294
URL: https://issues.apache.org/jira/browse/USERGRID-1294
Project: Usergrid
Issue Type: Story
Reporter: Marsh Gardiner
For both app and admin users, an endpoint should exist that allows a bearer
token to be validated. It should include email address, username, and UUID of
the user so that identity can be validated as well as the token. For extra
credit, if the username/uuid/email were passed in as part of the validation
claim, then Usergrid would check the user's record and only return a 200 if the
supplied info matched (ignoring case).
While it is possible to call `…/management/token` and `…/management/me`, both
return a complex user object and are not appropriate for token validation given
that they generate a new token every time, effectively decreasing the entropy
with each validation call. (Also, this suggests that this GET request is
non-idempotent as it changes the system state, even if that change is subtle.)
Alternatively, if Usergrid tokens were self-signed in a way that could be
independently validated (such as a JWT), that would provide some architectural
benefits when using Usergrid as an identity service beyond pure BaaS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
