Yes, I'm agree about using the JWT for a remember me storage, especially for APIs in a distributed / cloud environment.
For the session id, how can we match the JWT sent by the consumer with the session id? François Papon [email protected] Le 07/03/2019 à 21:44, Brian Demers a écrit : > I would agree on the bearer token use cases, though that would likely be > dependent on a given realm (were to validate the bearer token) > > I'm not sure using a JWT as the session id would add much value. We would > still need to look up an existing session, so the session key would just be > bigger? > > I have been thinking about how we could use JWTs for a remember me storage, > which might be inline with what we are doing now. (just not sure if there > is a demand for it?) > > On Thu, Mar 7, 2019 at 12:10 PM Francois Papon <[email protected]> > wrote: > >> I think that the session cache manager is a very nice feature in Shiro >> and I was thinking about using the compact representation of JWT as the >> session id in the cache manager. >> >> This could be very usefull because we just have to decrypt the JWT on >> login and store the user profil in the cache manager. >> >> So after that, the calls will be only check in the cache without need to >> uncrypt the JWT. The session validate could also be managed by the >> session scheduler. >> >> I think it make sense for api calls for api gateway security policies >> for example. >> >> regards, >> >> François Papon >> [email protected] >> >> Le 07/03/2019 à 00:15, Brian Demers a écrit : >>> What use cases are you thinking about targeting ? >>> >>> >>> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon < >> [email protected]> >>> wrote: >>> >>>> Hi guys, >>>> >>>> I would like to start a thread about JWT. >>>> >>>> We already have a shiro-jaxrs module and I think it would be nice for >>>> Shiro to be able to use JWT. >>>> >>>> There is some existing implementations (Apache CXF JOSE, Apache Geronimo >>>> microprofile...) and for me it make sence to have an implementation of >>>> JWT in Shiro. >>>> >>>> Thoughts? >>>> >>>> regards, >>>> >>>> -- >>>> François Papon >>>> [email protected] >>>> >>>> >>>> >>
