You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/05/06 13:51:50 UTC

[GitHub] [couchdb] dsebastien opened a new issue #2873: Add support for authentication/authorization using cookies containing JWTs

dsebastien opened a new issue #2873:
URL: https://github.com/apache/couchdb/issues/2873


   ## Summary
   
   In some scenarios it can be easier/safer to pass JWT tokens to clients through cookies (secure, sameSite, httpOnly, etc) so that they don't store those in localStorage/have to add those themselves to requests to the back-end.
   
   Having CouchDB be able of extracting a JWT from a Cookie in addition/as an alternative to the Authorization header would be beneficial for such scenarios.
   
   ## Desired Behaviour
   
   Being able to configure CouchDB to extract JWT tokens from cookies (in addition or as an alternative to the Authorization header).
   
   ## Additional context
   
   My project uses a fairly classical high level architecture:
   * Back-end system exposing a RESTful API
   * Front-end single-page application
   
   The back-end RESTful API issues self-signed JWT tokens and provides those to the SPA through secure/samesite/httpOnly cookies so as to simplify management and keep a good level of security. 
   
   This works fine in our scenario since there's a single origin. When the SPA issues requests against the RESTful API, the cookie containing the JWT token is attached transparently by the user agent.
   
   If that same JWT token could also be trusted by CouchDB (which is now possible with 3.1.0 as far as I understand) and if CouchDB could extract it from the cookie, then our SPA clients could seamlessly authenticate against CouchDB.
   
   For the longer term, OAuth support would indeed be nice, but I can imagine that it is already somewhere on CouchDB's roadmap.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org