[aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?

Matthias Wessendorf matzew at apache.org
Thu Sep 27 07:24:23 EDT 2012


thanks.

On Thu, Sep 27, 2012 at 1:21 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
> Hi Matthias, looks like the PicketBox API only support timeout specified in
> minutes, so here we go:
>
> https://github.com/aerogear/TODO/commit/7f5a0d5fa7756e35ba95d15a0eaca5c7f435ca8c
>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
> On Thursday, September 27, 2012 at 7:30 AM, Matthias Wessendorf wrote:
>
> Hey Bruno!
>
> On Thu, Sep 27, 2012 at 12:26 PM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
> Hi Matthias, this is our biggest concerns to M7, we had some discussions
> about it with PicketBox team to improve it. Currently the token relies on
> PicketBox sessions like this:
>
> token = user.getSubject().getSession().getId().getId().toString();
>
>
> yep saw the code in the Filter;
>
> Easy to break like you've did. My initial suggestion, is generate an
> application ID at first glance and create event or time based tokens.
>
>
> Glad we already had some discussion about this (assuming that, base on
> your email).
>
> I raised another question on IRC (#picketbox), on when the
> PicketBoxSession expires.
> I asked b/c I cloud issue a GET request one hour my last activity,
> using the same 'old' token
>
> Greetings!
> Matthias
>
>
>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
> On Thursday, September 27, 2012 at 3:26 AM, Matthias Wessendorf wrote:
>
> Hi,
>
> using the Auth-Token to get access to protected resources / endpoints
> (after doing a login) works fine!
>
> I am wondering how to avoid that one token is used on different
> devices? (e.g. when somebody is 'stealing' the token).
>
> I did sign-in to the app, using the browser and got the following
> token => db5d16da-a1e5-48d9-a2fd-e39e36e835bc
>
> Now I was able to issue a get request against the endpoints, by using
> the same token, from different 'devices':
> - curl
> - iOS test case
>
> NOTE: we don't need a solution now, since I know you guys are busy
> with some demo work - but just want to run that 'issue' by this list
>
> Greetings,
> Matthias
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf


More information about the aerogear-dev mailing list