auth v3: support jwt as auth token #5718
Comments
|
@xiang90 I think https://github.com/dgrijalva/jwt-go is a suitable library for the purpose. Do you have opinions about library selection? CoreOS people would know well about jwt libraries because of https://github.com/coreos/jwtproxy (jwtproxy has its own jwt implementation?). I'd like to hear suggestions about jwt library selection. |
|
What do we expect to put inside each jwt token? Just username? Or also the role details attached to the user? |
|
I think just username would be fine for now. It may be affected by proxy design and including role details would be useful for the case (but it will bring consistency problems). |
|
how are we going to revoke a jwt token? will it be timeout based? |
|
I think there are two ways;
The second one would be simpler. How do you think? |
|
@mitake I am closing this. We still need to work on the documentation side. There is already a tracking issue. |
For production use cases, current simple token of auth v3 is too naive e.g. its token is a randomly generated string and doesn't care about the cost of guessing by attackers.
JWT seems to be useful for the purpose. auth v3 needs to support it as its token. jwt-go would be a suitable implementation for etcd.
The text was updated successfully, but these errors were encountered: