search

acquia / reservoir

A back end for your front end: a content repository. Powered by Drupal 8, JSON API and OAuth2.
244 stars 30 forks source link

Is there any plans to support JWT tokens #18

Open berdyshev opened 7 years ago

berdyshev commented 7 years ago

I think, the JWT could be a nice choice for simple apps where only web app and backend exists, since it suggests a more simple way to authorize front-end requests to backend.

Is there any plans to provide such type of authorization?

wimleers commented 7 years ago

I think you're asking for support for the OAuth2 Client Credentials grant? See http://oauth2.thephpleague.com/authorization-server/client-credentials-grant/. Please confirm, to ensure I'm not misinterpreting.

berdyshev commented 7 years ago

Yes, but I'm about to use JWT tokens without OAuth server that is simpler. User logins with username/password, server generates token based on JSON Web Token rules and returns back to the frontend. And then frontend sends all API requests with Authorization: Bearer ${TOKEN} header. From my point of view its almost the same as JWT is just a standard for generating tokens, but using it standalone just remove a bit of complexity from the simple application.

Here is a module which already provides JWT token generation for logged in user https://drupal.org/project/jwt

wimleers commented 7 years ago

Thanks for clarifying!

Paging @e0ipso (https://www.drupal.org/project/simple_oauth maintainer) and @gabesullice (https://www.drupal.org/project/jwt maintainer), to get their thoughts.

e0ipso commented 7 years ago

From our discussion at DrupalCon we agreed that: if you want to generate your access tokens outside of Drupal, you want JWT. If your ID management service is Drupal, you want Simple OAuth 2.x (which comes with customizable JWTs).

berdyshev commented 7 years ago

I don't know what was the motivation for such decision, I suppose for the full-featured solutions (distributions) it's reasonable, but IMHO, for small projects it could be overkill.

You can find the comparison and argumentations for both these approaches in this thread (the talk about the Laravel packages but the idea is the same).

PS: I undestand that the most likely, this won't be part of this distribution, because it focuses on universal solution. So, maybe this thread could be closed if there would be no new thoughts.