Closed funkyfuture closed 6 years ago
robcast
commented
7 years ago Could you please provide more details on your intended workflow?
How are the tokens generated? How are they validated? Do the tokens identify a user (authentication) or a permission (authorization)? Why do you want to constrain the token length? Are the tokens not under your control?
funkyfuture
commented
7 years ago the tokens are intended for authentication. in particular for applications, for which we need an api to upload images at some point. this is rather a middle-term need, but it'd be great to rely on a consensual data structure for the tokens that can be shared by different applications.
How are the tokens generated?
tokens are maintained by administrators, e.g. created with pwgen 32 1 and written into the digilib-auth.xml.
Why do you want to constrain the token length?
to prevent errors by the system administrators.
robcast
commented
7 years ago If your application can generate OpenId-Connect compatible JWT tokens (its not very hard) then you already have a secure and standardised format and an implementation in digilib :-)
Using fixed tokens creates the risk of tokens being stolen (digilib's OpenId-tokens are also not replay-safe but have a limited lifetime).
It should not be very hard to create a new digilib.auth.AuthnOps implementation like digilib.auth.OpenIdAuthnOps but without the JWT-stuff.
funkyfuture
commented
6 years ago thanks for the hint on JWTs, that's perfect. i may amend the respective part of the docs once we used this in production.
we have a variety of users that we cannot authenticate against one of digilib's available authentication methods.
for our uses a simple token based authentication, where the tokens are passed as for the
OpenIdAuthnOps, but with a local definition of valid tokens and assigned roles would be feasible.something like this in
digilib-auth.xml:there should also be a general configuration value that sets a constraint for the minimum token length with a reasonable default.