[jira] [Updated] (OFBIZ-9833) Token Based Authentication

     [ https://issues.apache.org/jira/browse/OFBIZ-9833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-9833:
-----------------------------------
    Attachment: OFBIZ-9833-external-server-test-example.patch
                OFBIZ-9833-external-server.patch

Here are 2 patches
* OFBIZ-9833-external-server.patch is the real patch for the feature
* OFBIZ-9833-external-server-test-example.patch is a patch to test the feature (do not commit)

This works the same way than externalLoginKey but between 2 servers, not 2 webapps on the same server. The Single Sign On (SSO) is ensured by a JWT token, then all is handled as normal by a session on the reached server. The servers may or may not share a database but the loginUserIds on the 2 servers must be the same.

Some notes:
* We would need a Bearer token in Authorisation request header if we were using Oauth2. Here we don't, so no Bearer, KISS way.
* OOTB the JWT masterSecretKey is not properly initialised and can not be OOTB. As we sign on on several servers, so have different sessions, we can't use the externalLoginKey way to create the JWT masterSecretKey. The best way to store the JWT masterSecretKey is to use a temporary properties file to load in a static final key when compiling and to drop the file just after compiling. This is simple and most secure. Of course the temporary properties file should be kept out of reach, outside the servers.
It could be also loaded from a temporary network connection, etc. The magic words here are *temporary* but *final*!

BTW here is an interesting site to check a JWT token https://www.jsonwebtoken.io/

Please review and let me know your thoughts, thanks



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)