well, the browser automatically sends the header in csrf. Which isnt true for JWT or Bearer. But we specifically require application/json header on the rest api to protect agaist csrf,

Not that I am against JWT exactly, its just not as curl friendly i think? if it is curl friendly ignore me.

Because hackers.com can make a Javascript call and the Basic Auth credentials will be sent to mycorporatesite.com if the user has entered them recently.

$.ajax({
    type: "POST",
    url: "https://mycorporatesite.com/blue/delete-all-my-stuff",
    data: "",
    xhrFields: {
                withCredentials: true
            },
    success: function(s) { console.log('success', s); },
    dataType: 'application/json'
  });

Requiring a header only stops the most basic attacks. Once you have XSS in the mix it does nothing.

Ok i can go for that.

Some comments from a recent HN post about JWT and curl.

As a developer currently working with OpenID Connect (OIDC) and JSON Web Token (JWT), using curl is indeed not a problem at all:
    curl -i ... // Perform authentication to obtain JWT
    export JWT="eY..." // Place JWT in a shell variable
    curl -i -H "Authorization: Bearer $JWT" ... // Call your API
That's all there is to it.
reply
	
80x25 5 hours ago

Exactly, perhaps even simpler:
   curl ... // perform authentication to obtain JWT | xargs -I TOKEN curl -H "Authorization: Bearer TOKEN" ... // Call your API

Not quite as simple as a single curl, but probably simple enough.

Yeah lets keep basic auth aside, it can leave hole and you don't want to use it in browser client. Something on JWT vs cookie I read couple years ago: http://www.slideshare.net/derekperkins/authentication-cookies-vs-jwts-and-why-youre-doing-it-wrong.

All backend API changes are in place along with tests. More testing needs to be done though. Although its closer to ready for review for merge but we need all the UI side changes for end to end to work. Yes JWT is enabled by default and can be disabled by providing system property so its important to finish UI side changes and do a single merge.

See all the fronted and backend tasks at https://github.com/jenkinsci/blueocean-plugin/pull/392.

This is blocked on frontend tests breaking. Wi'll use meeting tomorrow to talka about it.

Use of pem-jwk NPM package is causing a bit of grief for us because it's published code has a const variable declaration, which is not liked by browserify-transform-tools (which we use in js-builder). I've raised a ticket on that so hope to find a solution.

imeredith PR to fix the issues you were having: https://github.com/jenkinsci/blueocean-plugin/pull/444

I fixed the immediate issues cause by the pem-jwk NPM package using const in the published code, but I think this is going to cause issues on some browsers (def IE) and we'll have to sort that too.