After some discussion with my team we come with this architecture: We will have a service to manage authentication and authorization, all our services will query him in order to get permission and credential, for authentication we will use CAS and for authorization RBAC over sended over JSON.
I've another question, exactly how CAS works? i mean, i know the theory that you log in the CAS provider and you will be logged in the CAS consumer, but how this works? with session cookies and a token? or how CAS communicate with the consumers El lunes, 14 de septiembre de 2015, 21:54:30 (UTC-4:30), Luis Valladares escribió: > > Thanks for your answer! > > I've been reading about JWT too, and i consider it for application > authorization, the thing is i dont feel comfortable sending the parameters > through JSON, i prefer to send it via POST parameters and so, but after > reading the link you posted sounds like a good solution for app > authentication, and i will consider this along with Amazon approach and > OAuth2. The thing that is really bottering me is the authorization of > users. Any sugestion on this field? > > Thank you very much! > > El lunes, 14 de septiembre de 2015, 18:19:12 (UTC-4:30), Dave S escribió: >> >> >> >> On Monday, September 14, 2015 at 3:35:20 PM UTC-7, Luis Valladares wrote: >>> >>> Since i do the post i found some interesting articles, and now i have a >>> better implementation idea, but i'm still looking for the solution on a >>> subject. Here is what i have now: >>> >>> I will handle the authentication of my applications using the amazon >>> approach ( >>> http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/) >>> >>> and the user authentication using CAS in order to centralize al the >>> services auth providers, but i'm still searching for a way to handle the >>> authorization for user, i read about Spring security but i didnt see any >>> implementation in python or web2py >>> >>> Again, thanks for any help! >>> >> >> Perhaps Niphlod's JWT implementation would work for you, too. >> >> Quoting his example again: >> >> >>> As per "original" demand of covering one-time-issued tokens, the "jti" >>> claim is the standard, and can be easily implemented, imagining to store >>> valid tokens in a database table: >>> >>> db.define_table('jwt_tokens', Field('token'), Field('user_id'), Field( >>> 'inserted_on', 'datetime', default=request.now)) >>> >>> def myadditional_payload(payload): >>> res = db(db.jwt_tokens.user_id == payload['user']['id']).select( >>> orderby=~db.jwt_tokens.inserted_on).first() >>> payload['jti'] = res.token >>> return payload >>> >>> def mybefore_authorization(tokend): >>> res = db( >>> (db.jwt_tokens.user_id == tokend['user']['id']) & >>> (db.jwt_tokens.token == tokend['jti']) >>> ).select().first() >>> if not res: >>> raise HTTP(400, u'Invalid JWT jti claim') >>> >>> myjwt = Web2pyJwt('secret', auth, >>> additional_payload=additional_payload, >>> before_authorization=mybefore_authorization) >>> >> >> >> The list of features is in his post in the developer's forum. >> <URL: >> https://groups.google.com/d/msg/web2py-developers/dXfUrHNI5Sg/gqNa3kXsCQAJ >> > >> >> If you need some background on JWT, my reading list recently included >> <URL:https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html> >> (that's the standard as of May; it's actually readable by users of >> standards as well the writers, I think) >> >> /dps >> >> >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.