[bisq-network/proposals] API security (#69)
Bernard Labno
notifications at github.com
Wed Jan 23 11:26:47 UTC 2019
No, JWT and OAuth are two completely separate things. There will be no OAuth, as we do not need to allow any 3rd parties to verify user's identity.
JWT is just a format of authentication tokens. Those tokens instead of being random strings include info about user (id, email, nickname, whatever you wish) and a signature made with backend's private key.
In our case it will always be the Bisq core (desktop or headless) who will create tokens.
As written above I don't see any added value of storing any user info in the token, but see potential information leak if the token (even expired one) is obtained by malicious party.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/69#issuecomment-456767304
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190123/76beb164/attachment.html>
More information about the bisq-github
mailing list