On Jun 6, 2014 6:30 PM, "Roy Smith" <r...@panix.com> wrote: > We would have to keep state on the server side about every extant valid > token (but then again, we need to do that now, for each session).
If you didn't want to have to manage such state server side, you could opt to use JWTs (http://datatracker.ietf.org/wg/jose/). A number of auth providers (including Microsoft and Google) are moving to using these as well. Of course, /some/ server side state would have to be managed to deal with invalidation or any other mutable data that doesn't belong in a token, but it's generally minimal. [Shameless plug] I've implemented a subset of the algorithms for both JWE and JWSs as a part of https://pypi.python.org/pypi/jose.
-- https://mail.python.org/mailman/listinfo/python-list
