Project

Profile

Help

Story #2359

Updated by ttereshc about 3 years ago

Use djangorestframework-jwt to implement JWT support.

One should be able to:
* acquire a JWT after some other initial authentication (e.g. basic auth)
* use JWT for further authentication
* invalidate JWT
> * by request
> * on user logout
> * on user delete
> *
when password-like credentials used in the initial authentication were changed
* configure expiration time for the


JWT token (the default value - should be expired at some point (after 1 week? 3 weeks?)

week?).

More explanations about use of JWT in Pulp could be found in "pulp-dev list":https://www.redhat.com/archives/pulp-dev/2016-September/msg00049.html

One of the possible solutions for invalidating such tokens as JWT would be checking some timestamps on each request.
Even though Pulp does not expect tons of request per second it still looks a bit expensive to me to call db on every request, iiuc. Just a thought to keep in mind.

Back