Open wichert opened 8 years ago
+1
I'm assuming the Bearer token="aaa.bbb.ccc"
format is used because that's what is used in macauthlib / pyramid_macauth, where an auth header takes the form:
Authorization: MAC id="h480djs93hd8" ts="1336363200" nonce="dj83hs9s" mac="bhCQXTVyfj5cmA9uKkPFx1zeOXM="
I'd gladly put together a PR, just need to know if both forms need to be acceptable. Like @wichert, I've never seen the Bearer token="aaa.bbb.ccc"
format used for JWT. Seeing as @ajkavanagh already has a disclaimer at the top of the README warning about likely code changes, my vote would be to use the more standard Bearer aaa.bbb.ccc
format and raise a ValueError for malformed headers.
@bfin I'ld love to see a pull request. If @ajkavanagh does not merge it I'll just switch to your branch :)
FWIW my current workaround is to have my APIs return token="...."
as API token, which looks pretty awful to users.
To work correctly with Barear, see: https://github.com/marioidival/pyramid_jwtauth/commit/bdaa8bd625a234cd06ba2b591ad8940583a4929d
FWIW I started writing pyramid_jwt as an alternative to add JWT support to Pyramid. The code is a little bit more opinionated and exposes a simple API to create new tokens from views making it a bit easier to use.
@wichert That's great -- checking it out now
@bfin Looking forward to any feedback. Keep in mind it's still very new, so documentation is not complete yet (but does include an example to address #4) and there may be a few remaining bugs.
Not all implementations use key-value pairs for JWT. Multiple implementations and various examples floating around on the web use the token directly:
This is not support by pyramid_jwtauth currently: it insists that the you use
token="...."
format. So far I have not found any other implementation that uses that pattern as well, which makes me think that at least pyramid_jwtauth should not require that, and perhaps should not default to requiring it at all.