Jeremy, I don't think I understand your comment. You *will* have to use basic auth to refresh the token when the original one expires. So there are limitations to a JWT, and for good reasons. A JWT is a weaker authenticator than a username+password because it expires. Because it is timestamped, it reduces the risk of compromising your account if someone sniffs the traffic.
Refreshing the token with a JWT seems marginally useful to me. On Wed, Nov 29, 2017 at 1:02 PM, Jeremy Audet <[email protected]> wrote: > +1. I think one should be able to get a JWT with a JWT. This user > experience: > > > I can authenticate any API call with a JWT token. > > ...is nicer than this user experience: > > > I can authenticate any API call with a JWT token. Oh, wait, exept > getting a new JWT token. I wonder why? Is there some security risk here? I > wonder if there's other API calls that also don't let me use JWT tokens? > Perhaps I should use basic auth for all authentication? > > _______________________________________________ > Pulp-dev mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pulp-dev > >
_______________________________________________ Pulp-dev mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-dev
