rtamalin
commented
1 month ago Now that #39 has landed we should be fully support client registration, submission, and (re)authentication using JWTs for auth tokens.
Closed rtamalin closed 1 month ago
rtamalin
commented
1 month ago Now that #39 has landed we should be fully support client registration, submission, and (re)authentication using JWTs for auth tokens.
Leverage JWT as our auth token generation and validation mechanism, using the golang-jwt/jwt/v5 module.
Using JWTs also has the advantage that we don't need to store the tokens on the server side; we just need to generate them and provide them to the clients, and when the clients send a request we can validate the token, failing a request with a 401 Unauthorized if needed, without the need for any DB interactions to perform the validation.
We will, initially at least, leverage the following claims:
The server will use a private secret key combined with a HMAC signing method.
Existing tokens can be "revoked" either by changing the issuer name or changing the secret key used for signing.
If the signing method is updated, but the associated secret key remains the same, or is retained, existing tokens based upon the previous signing method can potentially continue to work until their expiration date passes.
We will need to implement a /authenticate REST API request to allow clients to re-authenticate if their token has expired.