-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using token instead of credentials to authenticate admin user #8
Comments
Yes I agree that storing admin credentials is not ideal. I think creating a JWT for the user instead could be a good replacement. Are you thinking that the user would create a token with My only concern is that tokens become almost impossible to invalidate. If an attacker gained access to the token the only course of action would be to change the secret used and in the process invalidate every token created, forcing all users to sign in again. Whereas with a username and password, only the password would have to be changed. Of course, a focused token (ie only has access to the session database) is probably better than using admin credentials. I agree though that this does open the doors for API keys which is yet another reason to use this over the built in authentication. |
@tyler-johnson sorry for the delay, it was a busy day. As of this PR we have blacklisting tokens sorted :). I'd be inclined to use specific roles. |
Ahh yes blacklisting does more or less fix this issue. Okay, I will put together some documentation on how to use JWTs to authenticate with the session database instead of an admin name and password. |
Good stuff! On Mon, Feb 22, 2016 at 10:20 PM Tyler Johnson notifications@github.com
|
Admin credentials are necessary if you're using the
couch
session store.In order to avoid exposing those directly, what do you think about allowing the use of a token instead of a username/password? The token could be either one that doesn't expire or one that expires in 3 months or so (up to you) and is treated like an SSL cert that has to be renewed
I guess this opens the door to API keys to applications in a way. :)
What are your thoughts around this?
Cheers,
Darío
The text was updated successfully, but these errors were encountered: