How can I get secret from TJwtHS256?

anouri · 2025-10-05 10:59:56

Hi AB,
First of all, thank you for the great framework.
I am using the following code for JWT implementation:
https://gist.github.com/a-nouri/c61aef8 … f413b4538f
The code works, and I can retrieve the JWT JSON using the Delphi REST debugger (at http://localhost:8282/root/Auth?UserName=User&Password=synopse):

{
    "result": "302102+5B8F237C0D720FD66C3230C054AB161362E8E0FC12136AC3AE8196765B6C2779",
    "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXNzaW9ua2V5IjoiMzAyMTAyKzVCOEYyMzdDMEQ3MjBGRDY2QzMyMzBDMDU0QUIxNjEzNjJFOEUwRkMxMjEzNkFDM0FFODE5Njc2NUI2QzI3NzkiLCJpc3MiOiJVc2VyIiwic3ViIjoiand0LmFjY2VzcyIsImV4cCI6MTc1OTY2MjE1MX0.iUQmvtUov2YvB02UnJQkq0RXZNzN0AJzAcUCC4E5kBo"
}

However, when I try to validate it on jwt.io, it requires the secret key.
I can't find a way to retrieve the secret, but when debugging the Create method, I can see this value:

893ee7b5d45733a3bb3f8907a46233a3a510f05533de8d50ac10edbc7653f2f8

Thanks for your help!

Last edited by anouri (2025-10-05 11:11:52)

flydev · 2025-10-05 16:12:17

The secret is the same as the param you set on TJwtHS256.Create if SecretPbkdf2Round is 0. If you didn't modified the public example then a new secret is generated on each server start and it's the sha256 hash of a random guid, see there.

Just set a breakpoint and copy the value, or echo the key on the console (or generate a new hash from a dummy secret) and then copy paste the key on jwt.io, you should get a valid signature.

Last edited by flydev (2025-10-05 16:15:20)

anouri · 2025-10-06 11:37:06

Hi flydev.
there were a minor bug in your code and I fixed it.
changed function is this:
//function TRestServerAuthenticationJWT.Auth(Ctxt: TRestServerURIContext; const aUserName: RawUTF8): boolean; original
function TRestServerAuthenticationJWT.Auth(Ctxt: TRestServerURIContext): boolean; //chenged

I posted link in gist in my first post of topic.

if I underestand correctly "Create(SHA256(GUIDToRawUTF8(vGUID))" is secret. right?

JWTForUnauthenticatedRequest :=
TJwtHS256.
Create(SHA256(GUIDToRawUTF8(vGUID)), 0, [jrcIssuer, jrcSubject], [],
JWTDefaultTimeout);

Last edited by anouri (2025-10-06 11:40:22)

anouri · 2025-10-06 11:44:45

Yes. I got it. and now I can find secret.
many thanks!

anouri · 2025-10-06 11:48:38

I have another question.
Is it possible to create interface based service for authentication and use it in client side?
something like this:

type
IAuthentication = interface(IInvokable)
['{C92DCBEA-C680-40BD-8D9C-3E6F2ED9C9CF}']
procedure GetToken...;
procedure RefershToken...;
procedure IsTokenValid...;
...

end;

Last edited by anouri (2025-10-06 11:51:58)

flydev · 2025-10-06 12:42:05

Yes I've read your comment (I edited it on the PR ) It was not really a bug but a change on the framework implementation. I didn't had the time to push my changes and merging @koraycayiroglu code.

Is it possible to create interface based service for authentication and use it in client side?

Yes you can, just register your service with bypassauthentication true. On the initial sample they were implemented as service methods as I think it fit better to access service context. You can mix both interface/service methods without problem.

anouri · 2025-10-06 13:30:20

Thank you. I will try

anouri · 2025-10-06 14:39:06

I saw in other rest service swagger, there are authentication button in the top of page. but for your sample project this button not exists!
How can I enable this option?

flydev · 2025-10-06 16:28:33

I dont understand this one sorry - if you mean swagger editor, you will get a button if you define some security schemes. Which api definition are you talking about ?

Last edited by flydev (2025-10-06 16:28:49)

anouri · Yesterday 05:27:30

I copy some template files to my bin folder and then use swagger this way:

https://petstore.swagger.io/?url=http://localhost:888/root/wrapper/Swagger/mORMotClient.json.txt

Last edited by anouri (Yesterday 05:30:38)

flydev · Yesterday 06:37:21

I see, your file is probably missing something or contain a bad formatting. Swagger doesn't care about the server itself, it's about the file definition.

anouri · Yesterday 08:31:34

I copied "Swagger.json.mustache" file form somewhere into tempates folder and I don't familiar with that

Last edited by anouri (Yesterday 08:31:52)

flydev · Yesterday 09:13:30

I can help your but put some efforts
just share the file

anouri · Yesterday 09:17:23

This is gist link:

https://gist.github.com/a-nouri/b72f8da … 3b1aa953da

anouri · Yesterday 11:35:49

I have one problem:
I created jwt rest server and mormot create users and groups in sqlite database.
but I have my own users table in my mysql database too. how can I use my own users and groups tables in my mysql database instead of mormot sqlite database?

Last edited by anouri (Yesterday 11:36:58)

anouri · Yesterday 12:06:47

I find this :
OrmMapExternalAll(MyModel, aDbConnection, []);

and now mormot create jwtauthuser and authgroup tables in mysql database.

anouri · Today 07:31:36

After calling OrmMapExternalAll I add user to my table in jwtauthuser table, but mormot does not add this to internal storage in memory, and when I call Auth URI, I got an error:

{
"errorCode": 403,
"errorText": "Authentication Failed: Unknown user (2)"
}

how can I reload settings? Suppose when service is running I add user to table. How can I retereive users list again?

Last edited by anouri (Today 07:33:30)

flydev · Today 08:56:27

This is beyond the scope of jwt thing, you didn't described how you are adding user and I then assume you are adding manually an user into the external auth user table: if ORM cache is enabled, then this behavior is expected. You could read that you are hitting orm cache on the console by enabling server logs (and by reading the manual).

Thats said, set db.usecache to false or write a small rest client tool for adding your users..

Last edited by flydev (Today 08:56:43)

anouri · Today 09:09:40

I add users to my table in database manager tools (like heidisql, ...).
After many try and error I find that when I delcare:

  TMyRest = class(TRestServerDB)

It works. but when I use :

  TMyRest = class(TRestServerFullMemory)

it does not work!

Last edited by anouri (Today 09:11:10)

anouri · Today 09:18:02

Is this expected bahaiviour when I use:

TMykRest = class(TRestServerFullMemory)

mormot does not retreive users from db or this is bug?
https://synopse.info/forum/profile.php?id=2

Last edited by anouri (Today 09:21:59)

ab · Today 09:35:42

TRestServerFullMemory = full memory db = no sql db by design.

You need to either
1) provide a TRestOrmServerFullMemory.FileName for local user/group storage (local JSON storage may be simple and safe enough) - optionally with TRestOrmServerFullMemory.UpdateToFile on updates, if writing at shutdown is not enough
2) switch to a TRestServerDB and an external SQL mapping - but ensure you don't publish the tables as REST
3) setup a TRestServer.OnAuthenticationUserRetrieve callback to retrieve some user information e.g. with direct SQL over an existing database

anouri · Today 10:14:00

Thank you.

anouri · Today 11:21:22

I am using method 2. but I don't undrestand "don't publish the tables as REST"

mORMot Open Source

#1 2025-10-05 10:59:56

How can I get secret from TJwtHS256?

#2 2025-10-05 16:12:17

Re: How can I get secret from TJwtHS256?

#3 2025-10-06 11:37:06

Re: How can I get secret from TJwtHS256?

#4 2025-10-06 11:44:45

Re: How can I get secret from TJwtHS256?

#5 2025-10-06 11:48:38

Re: How can I get secret from TJwtHS256?

#6 2025-10-06 12:42:05

Re: How can I get secret from TJwtHS256?

#7 2025-10-06 13:30:20

Re: How can I get secret from TJwtHS256?

#8 2025-10-06 14:39:06

Re: How can I get secret from TJwtHS256?

#9 2025-10-06 16:28:33

Re: How can I get secret from TJwtHS256?

#10 Yesterday 05:27:30

Re: How can I get secret from TJwtHS256?

#11 Yesterday 06:37:21

Re: How can I get secret from TJwtHS256?

#12 Yesterday 08:31:34

Re: How can I get secret from TJwtHS256?

#13 Yesterday 09:13:30

Re: How can I get secret from TJwtHS256?

#14 Yesterday 09:17:23

Re: How can I get secret from TJwtHS256?

#15 Yesterday 11:35:49

Re: How can I get secret from TJwtHS256?

#16 Yesterday 12:06:47

Re: How can I get secret from TJwtHS256?

#17 Today 07:31:36

Re: How can I get secret from TJwtHS256?

#18 Today 08:56:27

Re: How can I get secret from TJwtHS256?

#19 Today 09:09:40

Re: How can I get secret from TJwtHS256?

#20 Today 09:18:02

Re: How can I get secret from TJwtHS256?

#21 Today 09:35:42

Re: How can I get secret from TJwtHS256?

#22 Today 10:14:00

Re: How can I get secret from TJwtHS256?

#23 Today 11:21:22

Re: How can I get secret from TJwtHS256?

Board footer