Project

Profile

Help

Story #2359

Updated by ttereshc about 8 years ago

Use djangorestframework-jwt to implement JWT support. 

 One should be able to: 
 * acquire a JWT after some other initial authentication (e.g. basic auth) 
 * use JWT for further authentication 
 * invalidate JWT 
 > *    by request 
 > *    when password-like credentials used in the initial authentication were changed 

 JWT token should be expired at some point (after 1 week?). 

 More explanations about use of JWT in Pulp could be found in "pulp-dev list":https://www.redhat.com/archives/pulp-dev/2016-September/msg00049.html 

 One of the possible solutions for invalidating such tokens as JWT would be checking some timestamps on each request. 
 Even though Pulp does not expect tons of request per second it    still looks a bit expensive to me to call db on every request, iiuc. Just a thought to keep in mind.

Back