[aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?
Bruno Oliveira
bruno at abstractj.org
Thu Sep 27 07:21:20 EDT 2012
Hi Matthias, looks like the PicketBox API only support timeout specified in minutes, so here we go:
https://github.com/aerogear/TODO/commit/7f5a0d5fa7756e35ba95d15a0eaca5c7f435ca8c
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Thursday, September 27, 2012 at 7:30 AM, Matthias Wessendorf wrote:
> Hey Bruno!
>
> On Thu, Sep 27, 2012 at 12:26 PM, Bruno Oliveira <bruno at abstractj.org (mailto:bruno at abstractj.org)> wrote:
> > Hi Matthias, this is our biggest concerns to M7, we had some discussions
> > about it with PicketBox team to improve it. Currently the token relies on
> > PicketBox sessions like this:
> >
> > token = user.getSubject().getSession().getId().getId().toString();
>
> yep saw the code in the Filter;
>
> > Easy to break like you've did. My initial suggestion, is generate an
> > application ID at first glance and create event or time based tokens.
> >
>
>
> Glad we already had some discussion about this (assuming that, base on
> your email).
>
> I raised another question on IRC (#picketbox), on when the
> PicketBoxSession expires.
> I asked b/c I cloud issue a GET request one hour my last activity,
> using the same 'old' token
>
> Greetings!
> Matthias
>
>
> >
> >
> > --
> > "The measure of a man is what he does with power" - Plato
> > -
> > @abstractj
> > -
> > Volenti Nihil Difficile
> >
> > On Thursday, September 27, 2012 at 3:26 AM, Matthias Wessendorf wrote:
> >
> > Hi,
> >
> > using the Auth-Token to get access to protected resources / endpoints
> > (after doing a login) works fine!
> >
> > I am wondering how to avoid that one token is used on different
> > devices? (e.g. when somebody is 'stealing' the token).
> >
> > I did sign-in to the app, using the browser and got the following
> > token => db5d16da-a1e5-48d9-a2fd-e39e36e835bc
> >
> > Now I was able to issue a get request against the endpoints, by using
> > the same token, from different 'devices':
> > - curl
> > - iOS test case
> >
> > NOTE: we don't need a solution now, since I know you guys are busy
> > with some demo work - but just want to run that 'issue' by this list
> >
> > Greetings,
> > Matthias
> >
> > --
> > Matthias Wessendorf
> >
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20120927/da6fbdc3/attachment-0001.html
More information about the aerogear-dev
mailing list