Using a JWT as a auth token (bearer or otherwise) should be dependent on a realm's implementation IMHO.
Using a JWT as a session id direction is a different topic. In this case i don't think it would provide any benefit (but i could be wrong or missing something here) The session id would be larger (more bits in the request/response payloads), and on the server side you would still incur a session lookup from storage. Again, I might be misunderstanding your use-case. let me know On Fri, Mar 8, 2019 at 1:23 AM Francois Papon <[email protected]> wrote: > Yes, I'm agree about using the JWT for a remember me storage, especially > for APIs in a distributed / cloud environment. > > For the session id, how can we match the JWT sent by the consumer with > the session id? > > François Papon > [email protected] > > Le 07/03/2019 à 21:44, Brian Demers a écrit : > > I would agree on the bearer token use cases, though that would likely be > > dependent on a given realm (were to validate the bearer token) > > > > I'm not sure using a JWT as the session id would add much value. We > would > > still need to look up an existing session, so the session key would just > be > > bigger? > > > > I have been thinking about how we could use JWTs for a remember me > storage, > > which might be inline with what we are doing now. (just not sure if there > > is a demand for it?) > > > > On Thu, Mar 7, 2019 at 12:10 PM Francois Papon < > [email protected]> > > wrote: > > > >> I think that the session cache manager is a very nice feature in Shiro > >> and I was thinking about using the compact representation of JWT as the > >> session id in the cache manager. > >> > >> This could be very usefull because we just have to decrypt the JWT on > >> login and store the user profil in the cache manager. > >> > >> So after that, the calls will be only check in the cache without need to > >> uncrypt the JWT. The session validate could also be managed by the > >> session scheduler. > >> > >> I think it make sense for api calls for api gateway security policies > >> for example. > >> > >> regards, > >> > >> François Papon > >> [email protected] > >> > >> Le 07/03/2019 à 00:15, Brian Demers a écrit : > >>> What use cases are you thinking about targeting ? > >>> > >>> > >>> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon < > >> [email protected]> > >>> wrote: > >>> > >>>> Hi guys, > >>>> > >>>> I would like to start a thread about JWT. > >>>> > >>>> We already have a shiro-jaxrs module and I think it would be nice for > >>>> Shiro to be able to use JWT. > >>>> > >>>> There is some existing implementations (Apache CXF JOSE, Apache > Geronimo > >>>> microprofile...) and for me it make sence to have an implementation of > >>>> JWT in Shiro. > >>>> > >>>> Thoughts? > >>>> > >>>> regards, > >>>> > >>>> -- > >>>> François Papon > >>>> [email protected] > >>>> > >>>> > >>>> > >> > >
