Can cookie authentication be combined with JWT authentication?

[Raggugga]

Summary

Right now it seems that even if I'm sending a valid JWT along with a POST /_session request, CouchDB still requires a user name in the body in order to issue a session cookie. But in this case it could very well create a session cookie and hand it back to the client.

Desired Behaviour

By supporting JWT authentication on a POST /_session request, the JWT could be sent only once by the client and then a session cookie used subsequently for data exchange.

Additional context

There seems to be a growing number of people being concerned about JWTs being used as session tokens by sending them repeatedly, while they're really only intended to be used as login credentials.

[big-r81]

Hi,

to get that right. You want to define your users in the configuration file under [jwt_keys]. Then you want to send the JWT token to CouchDB (as a header) and get a cookie when the user is found in the configuration?

[ghost]

For any JWT token that is valid for a logon, I want to POST to the /_session API and get a session cookie assigned WITHOUT having to provide a username/password (because I already have a valid token). Subsequently, if want to use the session cookie for data I/O without having to use the JWT token again.

The reason why I'm asking is that some people from our infrastucture department had concerns about "abusing" JWT tokens as session cookies, pointing to some internet articles. I cannot take part in that discussion, not sure how "bad" that really would be. But I can somewhat understand, as, for example, MS Web Application Proxy uses an edge token for session management.