Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-24734

Stateless Authentication based on a JSON Web Token (JWT)

    XMLWordPrintable

    Details

    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      There is a new Java API to acquire a JWT token to authorize a user:

      JWTService service = Framework.getService(JWTService.class);
      String token = service.newBuilder().build();
      

      The builder can also be used to add specific claims in the token (only CLAIM_SUBJECT is meaningful to the authenticator for now) and a TTL.

      The token should then be propagated and passed by a third-party service wishing to connect to Nuxeo using the Authorization: Bearer <token> request header. As a compatibility fallback, the request query parameter access_token can also be used.

      IMPORTANT
      For the JWTService to work, all the cluster servers must be configured with a common shared secret in nuxeo.conf:

      nuxeo.jwt.secret=...
      
      Show
      There is a new Java API to acquire a JWT token to authorize a user: JWTService service = Framework.getService(JWTService.class); String token = service.newBuilder().build(); The builder can also be used to add specific claims in the token (only CLAIM_SUBJECT is meaningful to the authenticator for now) and a TTL. The token should then be propagated and passed by a third-party service wishing to connect to Nuxeo using the Authorization: Bearer <token> request header. As a compatibility fallback, the request query parameter access_token can also be used. IMPORTANT For the JWTService to work, all the cluster servers must be configured with a common shared secret in nuxeo.conf : nuxeo.jwt.secret=...
    • Sprint:
      nxFG 10.2.2, nxFG 10.2.3, nxFG 10.2.4, nxFG 10.2.5, nxFG 10.2.6, nxFG 10.2.7, nxFG 10.3.1
    • Story Points:
      5

      Description

      We want an authenticator similar to Token Auth but that doesn't store stateful information. It would be based on a server secret instead (either for HMAC or for asymmetric key based signature). The transport format would be JWT.

      The token would contain:

      • username
      • creation time (for expiration)

      This will be useful at least for the ARender connector, and for the WOPI integration.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 1 hour
                  2d 1h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.