Open jpuck opened 7 years ago
Thank you for reporting this. I do fully acknowledge that this was really made for our specific use case at the University, and with that said, we did miss some things like this.
If you encounter any other issues such as this, feel free to keep opening issues. I will do my best to update it accordingly.
@cjmaio I've created a branch off of Lara5.4 which doesn't load any of the token stuff by default so it runs significantly faster and doesn't clutter the URL.
You can still fully activate the tokenizer by setting an .env
variable
JWTAUTH=true
I think other institutions would benefit from it, so if it's all right with you, then I can add it to #25 or I can wait until you're done reviewing the existing PR changes just so it's not too much all at once?
I'm unfamiliar with the validity, but interesting related reading: https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid
While I do agree with the article, it isn't as pertinent to this because the backend service is always checking to see if you're logged in via Shibboleth... the JWTs are more for the front end to have some sort of idea that it's logged in (which, is always subject to forgery regardless).
On Thu, Mar 16, 2017 at 3:45 PM Jeff Puckett notifications@github.com wrote:
I'm unfamiliar with the validity, but interesting related reading: https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/StudentAffairsUWM/Laravel-Shibboleth-Service-Provider/issues/24#issuecomment-287170182, or mute the thread https://github.com/notifications/unsubscribe-auth/ACFlq4zSIalKOkzOb3-hj_UTAy-oAbHXks5rmZE_gaJpZM4LL0ev .
StudentAffairsUwm\Shibboleth\Controllers\ShibbolethController
has an undocumented dependency.tymon/jwt-auth
needs to be added to the composer.json, and it would probably be more portable to reference the fully qualified class name in the controller:Although because the factory needs to be referenced as well it would be at least helpful to document this in the README letting users know they should add the class alias to their
config/app.php
as well as registering the provider: