each app (provider and consumer) has its own session cookies. An authentication gets passed between the two at login, similarly to oauth.
On Sunday, 20 September 2015 18:54:44 UTC-5, Luis Valladares wrote: > > After some discussion with my team we come with this architecture: > > We will have a service to manage authentication and authorization, all our > services will query him in order to get permission and credential, for > authentication we will use CAS and for authorization RBAC over sended over > JSON. > > I've another question, exactly how CAS works? i mean, i know the theory > that you log in the CAS provider and you will be logged in the CAS > consumer, but how this works? with session cookies and a token? or how CAS > communicate with the consumers > > El lunes, 14 de septiembre de 2015, 21:54:30 (UTC-4:30), Luis Valladares > escribió: >> >> Thanks for your answer! >> >> I've been reading about JWT too, and i consider it for application >> authorization, the thing is i dont feel comfortable sending the parameters >> through JSON, i prefer to send it via POST parameters and so, but after >> reading the link you posted sounds like a good solution for app >> authentication, and i will consider this along with Amazon approach and >> OAuth2. The thing that is really bottering me is the authorization of >> users. Any sugestion on this field? >> >> Thank you very much! >> >> El lunes, 14 de septiembre de 2015, 18:19:12 (UTC-4:30), Dave S escribió: >>> >>> >>> >>> On Monday, September 14, 2015 at 3:35:20 PM UTC-7, Luis Valladares wrote: >>>> >>>> Since i do the post i found some interesting articles, and now i have a >>>> better implementation idea, but i'm still looking for the solution on a >>>> subject. Here is what i have now: >>>> >>>> I will handle the authentication of my applications using the amazon >>>> approach ( >>>> http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/) >>>> >>>> and the user authentication using CAS in order to centralize al the >>>> services auth providers, but i'm still searching for a way to handle the >>>> authorization for user, i read about Spring security but i didnt see any >>>> implementation in python or web2py >>>> >>>> Again, thanks for any help! >>>> >>> >>> Perhaps Niphlod's JWT implementation would work for you, too. >>> >>> Quoting his example again: >>> >>> >>>> As per "original" demand of covering one-time-issued tokens, the "jti" >>>> claim is the standard, and can be easily implemented, imagining to store >>>> valid tokens in a database table: >>>> >>>> db.define_table('jwt_tokens', Field('token'), Field('user_id'), Field( >>>> 'inserted_on', 'datetime', default=request.now)) >>>> >>>> def myadditional_payload(payload): >>>> res = db(db.jwt_tokens.user_id == payload['user']['id']).select( >>>> orderby=~db.jwt_tokens.inserted_on).first() >>>> payload['jti'] = res.token >>>> return payload >>>> >>>> def mybefore_authorization(tokend): >>>> res = db( >>>> (db.jwt_tokens.user_id == tokend['user']['id']) & >>>> (db.jwt_tokens.token == tokend['jti']) >>>> ).select().first() >>>> if not res: >>>> raise HTTP(400, u'Invalid JWT jti claim') >>>> >>>> myjwt = Web2pyJwt('secret', auth, >>>> additional_payload=additional_payload, >>>> before_authorization=mybefore_authorization) >>>> >>> >>> >>> The list of features is in his post in the developer's forum. >>> <URL: >>> https://groups.google.com/d/msg/web2py-developers/dXfUrHNI5Sg/gqNa3kXsCQAJ >>> > >>> >>> If you need some background on JWT, my reading list recently included >>> <URL:https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html> >>> (that's the standard as of May; it's actually readable by users of >>> standards as well the writers, I think) >>> >>> /dps >>> >>> >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.