Thanks for your answer! I've been reading about JWT too, and i consider it for application authorization, the thing is i dont feel comfortable sending the parameters through JSON, i prefer to send it via POST parameters and so, but after reading the link you posted sounds like a good solution for app authentication, and i will consider this along with Amazon approach and OAuth2. The thing that is really bottering me is the authorization of users. Any sugestion on this field?
Thank you very much! El lunes, 14 de septiembre de 2015, 18:19:12 (UTC-4:30), Dave S escribió: > > > > On Monday, September 14, 2015 at 3:35:20 PM UTC-7, Luis Valladares wrote: >> >> Since i do the post i found some interesting articles, and now i have a >> better implementation idea, but i'm still looking for the solution on a >> subject. Here is what i have now: >> >> I will handle the authentication of my applications using the amazon >> approach ( >> http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/) >> >> and the user authentication using CAS in order to centralize al the >> services auth providers, but i'm still searching for a way to handle the >> authorization for user, i read about Spring security but i didnt see any >> implementation in python or web2py >> >> Again, thanks for any help! >> > > Perhaps Niphlod's JWT implementation would work for you, too. > > Quoting his example again: > > >> As per "original" demand of covering one-time-issued tokens, the "jti" >> claim is the standard, and can be easily implemented, imagining to store >> valid tokens in a database table: >> >> db.define_table('jwt_tokens', Field('token'), Field('user_id'), Field( >> 'inserted_on', 'datetime', default=request.now)) >> >> def myadditional_payload(payload): >> res = db(db.jwt_tokens.user_id == payload['user']['id']).select( >> orderby=~db.jwt_tokens.inserted_on).first() >> payload['jti'] = res.token >> return payload >> >> def mybefore_authorization(tokend): >> res = db( >> (db.jwt_tokens.user_id == tokend['user']['id']) & >> (db.jwt_tokens.token == tokend['jti']) >> ).select().first() >> if not res: >> raise HTTP(400, u'Invalid JWT jti claim') >> >> myjwt = Web2pyJwt('secret', auth, >> additional_payload=additional_payload, >> before_authorization=mybefore_authorization) >> > > > The list of features is in his post in the developer's forum. > <URL: > https://groups.google.com/d/msg/web2py-developers/dXfUrHNI5Sg/gqNa3kXsCQAJ > > > > If you need some background on JWT, my reading list recently included > <URL:https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html> > (that's the standard as of May; it's actually readable by users of > standards as well the writers, I think) > > /dps > > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
