Open pulpbot opened 2 years ago
From: @ipanova (ipanova@redhat.com) Date: 2021-06-22T10:13:04Z
Has it been decided which implementation option will it be? In case jwt tokens, I'd like to see code ported from pulp-container into core so more plugins can benefit from it.
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Author: @gerrod3 (gerrod)
Redmine Issue: 8939, https://pulp.plan.io/issues/8939
Background
Token authentication hands out a secret token to be used by a user to authenticate themselves. These tokens are passed in through the
Authorization
HTTP header with each request usually in the form ofTOKEN {USER_TOKEN}
. Tokens need to be kept secret like passwords and should only be used withhttps
. Token auth can be implemented many different ways, but the general workflow follows:Token auth can easily be added using the pre-built token authentication available in DRF: https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication. Two popular methods for token authentication are simple HTTP tokens and JSON Web token (JWT).
Simple HTTP Tokens
Basic token authentication comes included in DRF and can be added by including
rest_framework.authtoken
in theINSTALLED_APPS
list and by addingTokenAuthentication
to DRF'sDEFAULT_AUTHENTICATION_CLASSES
setting. This creates a model for storing tokens in the database.obtain_auth_token
is a default view for generating tokens that can be added for users to receive their tokens.Pros
Cons
JSON Web Tokens
Background: https://jwt.io/introduction. JWTs consist of three encoded strings separated by dots which are: the header, the payload and the signature. JWTs use the signatures of the token to validate the authenticity of a token and have no need for a database to store them. The header tells how the token is encoded and the payload contains information, called claims, about the token like the user and expiration time for the token. The signature is created from the private key of the server and the encoded strings of the header and payload to validate the token. JWTs usually use the Bearer schema inside the
Authentication
header, e.g.:Authentication: Bearer {USER_TOKEN}
. Since the signature validates the token an expiration is added to the payload to be able to invalidate it.djangorestframework-simplejwt
implements JWTs for DRF by generating two tokens for users. One is a short-lived access token to authenticate and the other is a longer-lived refresh token that can be used to get another acess token.Pros
Cons
Implementation Options