couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Shorin <kxe...@gmail.com>
Subject Re: [PROPOSAL] Remove oAuth for 2.0
Date Fri, 11 Sep 2015 16:06:04 GMT
On Fri, Sep 11, 2015 at 5:50 PM, Klaus Trainer <klaus_trainer@posteo.de> wrote:
>
> On 09/10/2015 08:20 PM, Alexander Shorin wrote:
>> Seems like there are no much options.
>>
>> I disagree that it's very poor. The only flaws it has is the lack of
>> RSA support (our implementation) and open security issues (as auth
>> protocol). But is there any good alternative?
>
> A good alternative would be to support JSON Web Token (JWT) [1].
> Somebody has already done some work for CouchDB 1.6. in this regard [2].
> They managed to outsource authentication to Auth0, while validating JWTs
> issued by Auth0, and creating respective CouchDB sessions with username
> and roles assigned from the JWT [3, 4].
>
> In addition to what's been done in [2], I'd like CouchDB to be able to
> issue JWTs as well, which then could also be used by other applications
> for authentication and authorization.
>
> In contrast to OAuth 1.0a (which is implemented in CouchDB), JWT is
> conceptionally much simpler. It is easy to set up on servers, and easy
> to use for clients (e.g. in the browsers).
>
> Regarding implementing JWT in CouchDB: I'd like to volunteer and can
> allocate time for that.
>
> What do you think about supporting JWT?

JWT is all good except one moment: it's not an alternative for OAuth (:
And it's hard to say that it's simpler, especially in case of support
of all the algorithms on browser side. WebCrypto is not a common thing
yet.

But I'm +1 for JWT support in anyway. It has own good use cases.

P.S. Basically, CouchDB cookies are JWTs, except that payload isn't
JSON, but binary Erlang term.

--
,,,^..^,,,

Mime
View raw message