taler-docs

Documentation for GNU Taler components, APIs and protocols
Log | Files | Refs | README | LICENSE
commit 4c8aa37dbedb3716db96cc2e9de5dac308673637
parent 508aa848c84cbf1e6777444af77021cf4d265bff
Author: Florian Dold <florian@dold.me>
Date:   Fri, 15 Sep 2023 10:04:21 +0200

dd49: move session tokens / signatures to alternatives section

Diffstat:

Mdesign-documents/049-auth.rst | 54+++++++++++++++++++++---------------------------------


1 file changed, 21 insertions(+), 33 deletions(-)

diff --git a/design-documents/049-auth.rst b/design-documents/049-auth.rst
@@ -79,9 +79,6 @@ Token Endpoint
 
        // Opque access token.
        access_token: string;
-
-       // Token kind.
-       kind: string;
      }
 
 Token Revocation
@@ -99,13 +96,26 @@ the token endpoint.
    with a valid access token.
 
 
-Performance Considerations
---------------------------
 
-.. note::
+Definition of Done
+==================
+
+* DONE: spec reviewed
+* DONE: implemented in merchant backend
+* implemented in libeufin-bank
+* implemented in the bank webui SPA
+* implemented in the merchant backoffice SPA
 
-   This section is purely informal and discusses
-   possible future extensions to improve performance.
+
+Alternatives
+============
+
+* use something much closer to OAuth2
+
+  * would be unnecessarly generic and complex
+
+Session Tokens / Signatures
+---------------------------
 
 For performance reasons, OAuth 2.0 uses two types of tokens: Short-lived access
 tokens and long-lived refresh tokens.  The access tokens can be implemented via
@@ -118,12 +128,6 @@ token is a server-stored token.  In addition to being used directly as an
 access token, a login token can also be converted to a short-lived session
 token.
 
-Unlike durable access tokens, the short-lived session tokens can be
-implemented with signatures and don't need to be stored server-side.
-
-Extension: Session Tokens
-^^^^^^^^^^^^^^^^^^^^^^^^^
-
 Session access tokens should be implemented as "self-encoded tokens", i.e.
 as tokens signed by the server without requiring server-side token storage.
 Session access tokens should have a rather short maximum expiration.
@@ -135,25 +139,9 @@ revocation and only accept tokens with a ``creation_timestamp`` larger than the
 last revocation timestamp. Individual session tokens cannot be revoked, only
 all issued session tokens can be revoked at once.
 
-
-Definition of Done
-==================
-
-* spec reviewed
-* implemented in merchant backend
-* implemented in libeufin-bank
-* implemented in the bank webui SPA
-* implemented in the merchant backoffice SPA
-
-
-Alternatives
-============
-
-* use something much closer to OAuth2
-
-  * would be unnecessarly generic and complex
-
-* only use durable tokens
+However, we decided against doing this because the performance benefits
+are not significant enough for us and having multiple token types would
+lead to unnecessary complexity.
 
 Drawbacks
 =========