diff options
author | Florian Dold <florian@dold.me> | 2023-09-15 10:04:21 +0200 |
---|---|---|
committer | Florian Dold <florian@dold.me> | 2023-09-15 10:04:26 +0200 |
commit | 4c8aa37dbedb3716db96cc2e9de5dac308673637 (patch) | |
tree | fd8b6d48710bb32ceac5ca1a0612df464c5db743 /design-documents | |
parent | 508aa848c84cbf1e6777444af77021cf4d265bff (diff) | |
download | docs-4c8aa37dbedb3716db96cc2e9de5dac308673637.tar.gz docs-4c8aa37dbedb3716db96cc2e9de5dac308673637.tar.bz2 docs-4c8aa37dbedb3716db96cc2e9de5dac308673637.zip |
dd49: move session tokens / signatures to alternatives section
Diffstat (limited to 'design-documents')
-rw-r--r-- | design-documents/049-auth.rst | 54 |
1 files changed, 21 insertions, 33 deletions
diff --git a/design-documents/049-auth.rst b/design-documents/049-auth.rst index 104b3672..12dc23e7 100644 --- a/design-documents/049-auth.rst +++ b/design-documents/049-auth.rst @@ -79,9 +79,6 @@ Token Endpoint // Opque access token. access_token: string; - - // Token kind. - kind: string; } Token Revocation @@ -99,13 +96,26 @@ the token endpoint. with a valid access token. -Performance Considerations --------------------------- -.. note:: +Definition of Done +================== + +* DONE: spec reviewed +* DONE: implemented in merchant backend +* implemented in libeufin-bank +* implemented in the bank webui SPA +* implemented in the merchant backoffice SPA - This section is purely informal and discusses - possible future extensions to improve performance. + +Alternatives +============ + +* use something much closer to OAuth2 + + * would be unnecessarly generic and complex + +Session Tokens / Signatures +--------------------------- For performance reasons, OAuth 2.0 uses two types of tokens: Short-lived access tokens and long-lived refresh tokens. The access tokens can be implemented via @@ -118,12 +128,6 @@ token is a server-stored token. In addition to being used directly as an access token, a login token can also be converted to a short-lived session token. -Unlike durable access tokens, the short-lived session tokens can be -implemented with signatures and don't need to be stored server-side. - -Extension: Session Tokens -^^^^^^^^^^^^^^^^^^^^^^^^^ - Session access tokens should be implemented as "self-encoded tokens", i.e. as tokens signed by the server without requiring server-side token storage. Session access tokens should have a rather short maximum expiration. @@ -135,25 +139,9 @@ revocation and only accept tokens with a ``creation_timestamp`` larger than the last revocation timestamp. Individual session tokens cannot be revoked, only all issued session tokens can be revoked at once. - -Definition of Done -================== - -* spec reviewed -* implemented in merchant backend -* implemented in libeufin-bank -* implemented in the bank webui SPA -* implemented in the merchant backoffice SPA - - -Alternatives -============ - -* use something much closer to OAuth2 - - * would be unnecessarly generic and complex - -* only use durable tokens +However, we decided against doing this because the performance benefits +are not significant enough for us and having multiple token types would +lead to unnecessary complexity. Drawbacks ========= |