[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-docs] branch master updated: dd49: move session tokens / signatur
From: |
gnunet |
Subject: |
[taler-docs] branch master updated: dd49: move session tokens / signatures to alternatives section |
Date: |
Fri, 15 Sep 2023 10:04:28 +0200 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository docs.
The following commit(s) were added to refs/heads/master by this push:
new 4c8aa37d dd49: move session tokens / signatures to alternatives section
4c8aa37d is described below
commit 4c8aa37dbedb3716db96cc2e9de5dac308673637
Author: Florian Dold <florian@dold.me>
AuthorDate: Fri Sep 15 10:04:21 2023 +0200
dd49: move session tokens / signatures to alternatives section
---
design-documents/049-auth.rst | 54 +++++++++++++++++--------------------------
1 file changed, 21 insertions(+), 33 deletions(-)
diff --git a/design-documents/049-auth.rst b/design-documents/049-auth.rst
index 104b3672..12dc23e7 100644
--- a/design-documents/049-auth.rst
+++ b/design-documents/049-auth.rst
@@ -79,9 +79,6 @@ Token Endpoint
// Opque access token.
access_token: string;
-
- // Token kind.
- kind: string;
}
Token Revocation
@@ -99,13 +96,26 @@ the token endpoint.
with a valid access token.
-Performance Considerations
---------------------------
-.. note::
+Definition of Done
+==================
+
+* DONE: spec reviewed
+* DONE: implemented in merchant backend
+* implemented in libeufin-bank
+* implemented in the bank webui SPA
+* implemented in the merchant backoffice SPA
- This section is purely informal and discusses
- possible future extensions to improve performance.
+
+Alternatives
+============
+
+* use something much closer to OAuth2
+
+ * would be unnecessarly generic and complex
+
+Session Tokens / Signatures
+---------------------------
For performance reasons, OAuth 2.0 uses two types of tokens: Short-lived access
tokens and long-lived refresh tokens. The access tokens can be implemented via
@@ -118,12 +128,6 @@ token is a server-stored token. In addition to being used
directly as an
access token, a login token can also be converted to a short-lived session
token.
-Unlike durable access tokens, the short-lived session tokens can be
-implemented with signatures and don't need to be stored server-side.
-
-Extension: Session Tokens
-^^^^^^^^^^^^^^^^^^^^^^^^^
-
Session access tokens should be implemented as "self-encoded tokens", i.e.
as tokens signed by the server without requiring server-side token storage.
Session access tokens should have a rather short maximum expiration.
@@ -135,25 +139,9 @@ revocation and only accept tokens with a
``creation_timestamp`` larger than the
last revocation timestamp. Individual session tokens cannot be revoked, only
all issued session tokens can be revoked at once.
-
-Definition of Done
-==================
-
-* spec reviewed
-* implemented in merchant backend
-* implemented in libeufin-bank
-* implemented in the bank webui SPA
-* implemented in the merchant backoffice SPA
-
-
-Alternatives
-============
-
-* use something much closer to OAuth2
-
- * would be unnecessarly generic and complex
-
-* only use durable tokens
+However, we decided against doing this because the performance benefits
+are not significant enough for us and having multiple token types would
+lead to unnecessary complexity.
Drawbacks
=========
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-docs] branch master updated: dd49: move session tokens / signatures to alternatives section,
gnunet <=