Message8377
Should we add an ID to a jwt via its data element or the 'jti' registered claim?
This allows logging/audit of use of the JWT. Logging the ID
when a JWT is used via python logging or in some table in Roundup
should be added as well.
Th native audit logs/journal records the userid. It assumes that the user is
logged in. Do we need some way to audit a change by a user when done by a service
(which is likely to have a JWT for authentication)? So a change done by user X
is logged differently than a change done on behalf of user X by some
program/agent/... with a JWT?
The tx_Source database connection property doesn't include an authentication
method for any mechanism except email (where pgp auth is identified). But
this property might be a good place to store authentication method/agent ID (JWT ID)
for use in logging. |
|
| Date |
User |
Action |
Args |
| 2025-04-28 00:25:19 | rouilj | set | messageid: <1745799919.19.0.505207842715.issue2551064@roundup-tracker.org> |
| 2025-04-28 00:25:19 | rouilj | set | recipients:
+ rouilj |
| 2025-04-28 00:25:19 | rouilj | link | issue2551064 messages |
| 2025-04-28 00:25:18 | rouilj | create | |
|