You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2017/06/23 08:34:08 UTC
[DISCUSS] - Support Bearer authorization for JWT tokens?
Hi all,
Larry McCay from Apache Knox (amongst other projects) raised an interesting
point here:
https://twitter.com/lmccay/status/877981989638356992
Rather than use a custom header "X-Syncope-Token" to include the JWT token
when invoking on the Syncope REST services, we might as well instead use
the "Bearer" Authorization header to follow the standards:
https://tools.ietf.org/html/rfc6750
We could support both for 2.0.4 and then switch to only supporting the
Authorization header for 2.1.0.
WDYT?
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: [DISCUSS] - Support Bearer authorization for JWT tokens?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 23/06/2017 12:14, Colm O hEigeartaigh wrote:
> OK fair enough, here is the JIRA:
>
> https://issues.apache.org/jira/browse/SYNCOPE-112
Thanks!
> How do we maintain the release notes?
Not very efficiently ATM, I'd say: essentially, in the release process,
there are some steps where commits related to each issue (part of the
release) are inspected to find relevant changes which might cause
troubles when upgrading.
Anyway, nothing prevents to start early drafting the release upgrade
process before actual release.
Regards.
> On Fri, Jun 23, 2017 at 10:34 AM, Francesco Chicchiriccò <il...@apache.org> wrote:
>
>> On 23/06/2017 11:17, Colm O hEigeartaigh wrote:
>>
>>> On Fri, Jun 23, 2017 at 9:36 AM, Francesco Chicchiriccò <
>>> ilgrosso@apache.org> wrote:
>>>
>>>> +1 for the "Bearer" Authorization header proposal, more standards are
>>>> welcome :-)
>>>>
>>>> Since we introduced JWT in 2.0.3, I am not sure whether it makes sense to
>>>> keep supporting the X-Syncope-Token header for further 2.0 releases or
>>>> not...
>>>>
>>> Well I guess it would break any REST clients that were written to use
>>> X-Syncope-Token for 2.0.3. It should be fairly straightforward just to
>>> check the two headers right?
>>>
>> It will break such clients for sure but we can include specific
>> instructions in the release notes.
>> My point is that such header is something introduced in 2.0.3, e.g. the
>> last stable release before 2.0.4: I am not sure we need to preserve
>> backward compatibility for that...
>>
>>
>> Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: [DISCUSS] - Support Bearer authorization for JWT tokens?
Posted by Colm O hEigeartaigh <co...@apache.org>.
OK fair enough, here is the JIRA:
https://issues.apache.org/jira/browse/SYNCOPE-1120
How do we maintain the release notes?
Colm.
On Fri, Jun 23, 2017 at 10:34 AM, Francesco Chicchiriccò <
ilgrosso@apache.org> wrote:
> On 23/06/2017 11:17, Colm O hEigeartaigh wrote:
>
>> On Fri, Jun 23, 2017 at 9:36 AM, Francesco Chicchiriccò <
>> ilgrosso@apache.org> wrote:
>>
>>> +1 for the "Bearer" Authorization header proposal, more standards are
>>> welcome :-)
>>>
>>> Since we introduced JWT in 2.0.3, I am not sure whether it makes sense to
>>> keep supporting the X-Syncope-Token header for further 2.0 releases or
>>> not...
>>>
>> Well I guess it would break any REST clients that were written to use
>> X-Syncope-Token for 2.0.3. It should be fairly straightforward just to
>> check the two headers right?
>>
>
> It will break such clients for sure but we can include specific
> instructions in the release notes.
> My point is that such header is something introduced in 2.0.3, e.g. the
> last stable release before 2.0.4: I am not sure we need to preserve
> backward compatibility for that...
>
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: [DISCUSS] - Support Bearer authorization for JWT tokens?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 23/06/2017 11:17, Colm O hEigeartaigh wrote:
> On Fri, Jun 23, 2017 at 9:36 AM, Francesco Chicchiriccò <il...@apache.org> wrote:
>> +1 for the "Bearer" Authorization header proposal, more standards are
>> welcome :-)
>>
>> Since we introduced JWT in 2.0.3, I am not sure whether it makes sense to
>> keep supporting the X-Syncope-Token header for further 2.0 releases or
>> not...
> Well I guess it would break any REST clients that were written to use
> X-Syncope-Token for 2.0.3. It should be fairly straightforward just to
> check the two headers right?
It will break such clients for sure but we can include specific
instructions in the release notes.
My point is that such header is something introduced in 2.0.3, e.g. the
last stable release before 2.0.4: I am not sure we need to preserve
backward compatibility for that...
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: [DISCUSS] - Support Bearer authorization for JWT tokens?
Posted by Colm O hEigeartaigh <co...@apache.org>.
On Fri, Jun 23, 2017 at 9:36 AM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> +1 for the "Bearer" Authorization header proposal, more standards are
> welcome :-)
>
> Since we introduced JWT in 2.0.3, I am not sure whether it makes sense to
> keep supporting the X-Syncope-Token header for further 2.0 releases or
> not...
>
Well I guess it would break any REST clients that were written to use
X-Syncope-Token for 2.0.3. It should be fairly straightforward just to
check the two headers right?
Colm.
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: [DISCUSS] - Support Bearer authorization for JWT tokens?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 23/06/2017 10:34, Colm O hEigeartaigh wrote:
> Hi all,
>
> Larry McCay from Apache Knox (amongst other projects) raised an interesting
> point here:
>
> https://twitter.com/lmccay/status/877981989638356992
>
> Rather than use a custom header "X-Syncope-Token" to include the JWT token
> when invoking on the Syncope REST services, we might as well instead use
> the "Bearer" Authorization header to follow the standards:
>
> https://tools.ietf.org/html/rfc6750
>
> We could support both for 2.0.4 and then switch to only supporting the
> Authorization header for 2.1.0.
>
> WDYT?
+1 for the "Bearer" Authorization header proposal, more standards are
welcome :-)
Since we introduced JWT in 2.0.3, I am not sure whether it makes sense
to keep supporting the X-Syncope-Token header for further 2.0 releases
or not...
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/