Token-based authentication (was http.server.BaseHTTPRequestHandler basic auth logout? Django authentication system for REST interface?)
Demian Brecht
demianbrecht at gmail.com
Sat Jun 7 14:36:00 EDT 2014
On Jun 6, 2014 6:30 PM, "Roy Smith" <roy at panix.com> wrote:
> We would have to keep state on the server side about every extant valid
> token (but then again, we need to do that now, for each session).
If you didn't want to have to manage such state server side, you could opt
to use JWTs (http://datatracker.ietf.org/wg/jose/). A number of auth
providers (including Microsoft and Google) are moving to using these as
well.
Of course, /some/ server side state would have to be managed to deal with
invalidation or any other mutable data that doesn't belong in a token, but
it's generally minimal.
[Shameless plug] I've implemented a subset of the algorithms for both JWE
and JWSs as a part of https://pypi.python.org/pypi/jose.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20140607/4cf0145f/attachment.html>
More information about the Python-list
mailing list