Re: [aerogear-dev] Security on AeroGear
Ahoy!
Summers Pittman wrote:
So the bearer token would be a HTTP Header and the JWS/JWT items
would
be part of the request body?
Not really Summers, Bearer tokens make use JWS/JWT specifications, but
they're not tied together. The proposed here is skip the bearer token
implementation and just make use of JWS/JWT.
It could be part of the request body or the header. Is just a matter of
implement and discuss.
Are the tokens the same for the whole session or are they also a
function of the request content? (A Hash, etc)
Initially I'm planning to make it valid for the whole session, but we
can customize it to our needs.
Makes sense? Wdyt?
--
abstractj