couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: [PROPOSAL] Remove oAuth for 2.0
Date Fri, 11 Sep 2015 20:55:17 GMT
+1 to remove oauth. 

Keen to see new authn and authz options for couchdb but that's a separate topic. 



> On 11 Sep 2015, at 17:38, Jan Lehnardt <jan@apache.org> wrote:
> 
> Let’s keep things separate.
> 
> I propose moving broken oAuth support from 2.0. I’m prepared to do the legwork, it
shouldn’t take long.
> 
> If someone steps in and fixes oAuth for 2.0 VERY SOON, I’d be okay with keeping it.
> 
> At this point, we are not discussing additional features for 2.0.
> 
> If we get JWT, it goes into 2.1.
> 
> Best
> Jan
> --
> 
> 
> 
>> On 11 Sep 2015, at 16:50, Klaus Trainer <klaus_trainer@posteo.de> wrote:
>> 
>> Hi everybody!
>> 
>>> On 09/10/2015 08:20 PM, Alexander Shorin wrote:
>>> Seems like there are no much options.
>>> 
>>> I disagree that it's very poor. The only flaws it has is the lack of
>>> RSA support (our implementation) and open security issues (as auth
>>> protocol). But is there any good alternative?
>> 
>> A good alternative would be to support JSON Web Token (JWT) [1].
>> Somebody has already done some work for CouchDB 1.6. in this regard [2].
>> They managed to outsource authentication to Auth0, while validating JWTs
>> issued by Auth0, and creating respective CouchDB sessions with username
>> and roles assigned from the JWT [3, 4].
>> 
>> In addition to what's been done in [2], I'd like CouchDB to be able to
>> issue JWTs as well, which then could also be used by other applications
>> for authentication and authorization.
>> 
>> In contrast to OAuth 1.0a (which is implemented in CouchDB), JWT is
>> conceptionally much simpler. It is easy to set up on servers, and easy
>> to use for clients (e.g. in the browsers).
>> 
>> Regarding implementing JWT in CouchDB: I'd like to volunteer and can
>> allocate time for that.
>> 
>> What do you think about supporting JWT?
>> 
>> 
>> [1] https://tools.ietf.org/html/rfc7519
>> [2] https://github.com/softapalvelin/couch_jwt_auth
>> [3] https://github.com/softapalvelin/getting-started-todo
>> [4] https://auth0.com/
> 
> --
> Professional Support for Apache CouchDB:
> http://www.neighbourhood.ie/couchdb-support/
> 

Mime
View raw message