Replace OAuth server by JWT tokens authentication (?)

svbackend / my-art-lib

Your own library of watched movies with crowd based recommendations and notifications about releases

https://mykino.top

GNU General Public License v3.0

2 stars 0 forks source link

Replace OAuth server by JWT tokens authentication (?) #16

Closed svbackend closed 6 years ago

svbackend commented 6 years ago

Looks like oauth server its just an overhead for this project, so after some discussions I decide to remove OAuth server and replace it by JWT Tokens (maybe no?). Try to do this, but I need to see pros and cons.

svbackend commented 6 years ago

Need to do some research - how to avoid JWT? Maybe its not as hard as you may think? It's should be easy: Create access token (auth by username & pass) -> save it -> give it to user User need to send it back for authentication. If you need to deny user access - just remove all tokens that related to that user. No need to use any refresh tokens. And of course it's important to use https to protect user's access tokens from MITM attacks.

svbackend commented 6 years ago

Maybe good idea: add last_time_used field to tokens table and remove old unused tokens

svbackend commented 6 years ago

Let's try custom generated token authentication. Done by: #18 If something will went wrong - we can easy switch to JWT tokens