On Thu, Feb 14, 2019 at 03:33:44PM +0500, Ненахов Андрей wrote: > Actually, getting rid of a master passwords is exactly what our server team > is working on. Here's what design features we're implementing: > 1) on connect with login/password device is issued a token, and a session > stops. Device has to reconnect with a token. No concurrent sessions are > allowed with one token. > 2) every connected device has a token, and only one. It should not > regenerate tokens for every new connection > 3) a device can issue another token for the use in another device (like, > connected web client can issue a token and present it as a QR code, so > mobile client can scan it and instantly connect) > 4) on issuing a new token all devices get a message with warning, 'new > token issued' > 5) it is possible to get a list of all issued tokens, and revoke them, all > or individually > 6) the other way to revoke all tokens is to connect with login/password and > revoke all tokens. This way a malintentioned entity which obtained a token > will not be able to break authorized users's session before he can possibly > revoke former's token.
Sounds like a variant of OAuth? _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
