We had a chance to discuss some of these use cases during our MVP call yesterday. Here is the updated list of uses cases:
As an administrator, I can disable JWT token expiration. This configuration is in the settings file and is system-wide. As an administrator, I can configure the JWT tokens to expire after a configurable amount of time. This configuration is in the settings file and is system-wide. The JWT shall have a username identifier As an API user, I can authenticate any API call (except to request a JWT) with a JWT. As an API user, I can invalidate all existing JWT tokens for a given user. As an authenticated user, when deleting a user 'foo', all of user 'foo's existing JWTs are invalidated. As an autheticated user, I can invalidate a user's JWTs in the same operation as updating the password. As an un-authenticated user, I can obtain a JWT token by using a username and password. Let's polish them up on this email thread and then update the MVP wiki page. -Dennis On Mon, May 29, 2017 at 1:57 PM, Brian Bouterse <[email protected]> wrote: > We had a use case call which produced these use cases [0]. Then @fdobrovo > investigated using the django-rest-framework-jwt [1] to fulfil those use > cases and there are some small, but to fulfil the use cases written he had > to write a good amount of code and maybe only used 50 or 100 lines of code > actually from django-rest-framework-jwt. > > Through a lot of back and forth on the issue [2], we did a gap analysis > and considered different ways the use cases could be aligned with the > functionality provided by the django-rest-framework. We came up with the > following revised use cases related to JWT that are effectively the same > and would allow the plugin code to be used mostly as-is: > > * As an administrator, I can disable JWT token expiration. This > configuration is in the settings file and is system-wide. > * As an administrator, I can configure the JWT tokens to expire after a > configurable amount of time. This configuration is in the settings file and > is system-wide. > * The JWT shall have a username identifier > * As an API user, I can authenticate any API call (except to request a > JWT) with a JWT. > * As an API user, I can invalidate all JWT tokens for a given user > * As an authenticated user, when deleting a user 'foo', all of user 'foo's > JWTs are invalidated. > * As an un-authenticated user, I can obtain a JWT token, by passing a > username and password via POST > > Comments and questions are welcome here. I also hope to append this topic > onto one of the upcoming, Tuesday use case calls. The next call May 30th is > on the Status API and Alternate Content Sources so hopefully there will be > enough time to revisit the JWT use cases then too or on a following call. > > [0]: https://pulp.plan.io/projects/pulp/wiki/Pulp_3_Minimum_ > Viable_Product#Authentication > [1]: http://getblimp.github.io/django-rest-framework-jwt/ > [2]: https://pulp.plan.io/issues/2359 > > -Brian > > _______________________________________________ > Pulp-dev mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pulp-dev > >
_______________________________________________ Pulp-dev mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-dev
