couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Klaus Trainer <klaus_trai...@posteo.de>
Subject Re: [PROPOSAL] Remove oAuth for 2.0
Date Fri, 11 Sep 2015 14:50:28 GMT
Hi everybody!

On 09/10/2015 08:20 PM, Alexander Shorin wrote:
> Seems like there are no much options.
> 
> I disagree that it's very poor. The only flaws it has is the lack of
> RSA support (our implementation) and open security issues (as auth
> protocol). But is there any good alternative?

A good alternative would be to support JSON Web Token (JWT) [1].
Somebody has already done some work for CouchDB 1.6. in this regard [2].
They managed to outsource authentication to Auth0, while validating JWTs
issued by Auth0, and creating respective CouchDB sessions with username
and roles assigned from the JWT [3, 4].

In addition to what's been done in [2], I'd like CouchDB to be able to
issue JWTs as well, which then could also be used by other applications
for authentication and authorization.

In contrast to OAuth 1.0a (which is implemented in CouchDB), JWT is
conceptionally much simpler. It is easy to set up on servers, and easy
to use for clients (e.g. in the browsers).

Regarding implementing JWT in CouchDB: I'd like to volunteer and can
allocate time for that.

What do you think about supporting JWT?


[1] https://tools.ietf.org/html/rfc7519
[2] https://github.com/softapalvelin/couch_jwt_auth
[3] https://github.com/softapalvelin/getting-started-todo
[4] https://auth0.com/


Mime
View raw message