ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-9833) Token Based Authentication
Date Thu, 22 Mar 2018 19:18:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-9833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16410149#comment-16410149

Jacques Le Roux commented on OFBIZ-9833:

I understand what I did in this issue (back and forth) needs some clarification.

Actually I think now that I should have created another issue, though what I did is closely
related. What Deepak proposes with [^OFBIZ-9833-JWTManager.patch] is a general way of handling
JWT Token for authentication and more. It seems it's so far only related with replacing the
current way of authenticating, with ExternalLoginKey or Tomcat SSO, on the same domain. But
AFAIK not to automatically jump signed in to another domain, withouth passing by a third party,
like the passport component does for instance (and standards like SAML or OAuth2).

In my 1st comment here I wrote:
{quote}I have done something for a custom project and will try to generalise it to include
it in OFBiz. The goal is only to allow access to an external server running also an OFBiz
instance. This can be useful for case when you want to access special features, like heavy
report, etc.
 So it's simple but the bright side is also that's it's simple. It's included in OFBiz with
very few changes and is totallly secure. Anyway I'll provide a patch for review.
What I missed to say then, is it's about different domains, and that's the crucial point.
So I will create another issue soon, because it's related (use of JWT Token for authentication)
but different.

So, what I did is an use of a JWT Token authentication to get from one domain, where you are
signed in, to another domain where you get signed in automatically. Something like ExternalLoginKey
or Tomcat SSO, but not on the same domain.

I did it wrongly initially and I explained it above. I have now a working solution, which
is much more simple than the one I wrote initially. I was confronted with few unexpected issues
while doing it. "In my quest", I found that sending a JWT token to authenticate on another
domain is not something as easy as I thought.

The piece which was totally wrong in my work was using a wrapper inside ContextFilter and
I have explained it above. I have now completly removed this most problematic part with r1827441.
The rest of what I commited and modified since, I need and will use it with another patch
in another Jira. So I'll not revert that part. I'll though maybe sligthly modify again to
share as much as possible things with Deepak's work. For instance his createJwt is more general
than mine, but I have still to compare and check.

I hope this clarify and summarize the situation here. I have removed all what I attached to
clarify this Jira.

> Token Based Authentication
> --------------------------
>                 Key: OFBIZ-9833
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9833
>             Project: OFBiz
>          Issue Type: New Feature
>          Components: framework
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>            Priority: Major
>         Attachments: JSON Web Tokens.pdf, OFBIZ-9833-JWTManager.patch, Token Based Authentication
in Apache OfBiz.pdf, Token Based Authentication.pdf, rfc7519.pdf
> Here is dev list discussion for token based authentication work:
> http://markmail.org/message/vyskeh2wujqpkbwg

This message was sent by Atlassian JIRA

View raw message