#1 2017-05-29 13:46:27

JuanTTL
Member
Registered: 2017-05-29
Posts: 3

Interface-base service getting http header

http://blog.synopse.info/post/2016/12/1 … -%28JWT%29

in above post, it said "...Integration with method-based services is easy, using Ctxt.AuthenticationCheck method". I'd like to implement JWT by interface-base service instead. Is it possible to read http-header context , say bearer jwttoken? if yes, how to do it or other advice/sample?

Offline

#2 2017-05-29 13:50:19

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Interface-base service getting http header

You can set TSQLRestServer.JWTForUnauthenticatedRequest, as such:

    fRestServer.JWTForUnauthenticatedRequest := TJWTHS256.Create(
      aPasswordPlain, aPasswordPlainRounds, [jrcExpirationTime,jrcNotBefore], [], 15);

Offline

#3 2017-05-31 10:10:11

JuanTTL
Member
Registered: 2017-05-29
Posts: 3

Re: Interface-base service getting http header

In normal scenario, user call interface-base service for auth , say Login(userName, password) : TNotifyAuthenticationFailedReason. But how can interface service set a value back to RestServer as your advice?

Or mormot do not suggest implement JWT in interface-base service?

Offline

#4 2017-05-31 11:57:41

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Interface-base service getting http header

Usually, you retrieve the JWT token from another dedicated service and server.
For instance, this is how OAuth2 works.

Among benefits:
- the main service does not know anything about the authorization rights and passwords: it just validates a JWT for a given audience/resource from its known secret
- the authentication service can focus on the authorization process, and the main service on its own business (MicroService architecture: each service has its own storage)
- you can avoid DOS attack on your main service by rejecting most requests sooner
- you can use a load-balancer if the authentication service is used also as a catalog
- you can test a production service by providing a fake authentication server

Offline

#5 2017-06-01 08:09:28

JuanTTL
Member
Registered: 2017-05-29
Posts: 3

Re: Interface-base service getting http header

noted your advice. :-)

BTW, we are using "TjwtContent.compute" to generate custom payload, do it support nested object? in fact, we'd like to place a serialized JSONobject record into payload. Any advice?

Offline

#6 2017-06-01 09:21:28

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Interface-base service getting http header

Just store a TDocVariant object (using _JsonFast or _ObjFast functions) within the DataNameValue parameter of the Compute() method.
Then you will retrieve the object decoded in the TJWTContent.data field, on consumer side.

Ensure the object field names don't match standard JWT fields, otherwise the custom value may be overridden by the engine.

Offline

#7 2017-06-05 07:15:24

keinn
Member
Registered: 2014-10-20
Posts: 103

Re: Interface-base service getting http header

it is a little painful to use jwt by such.

Offline

#8 2017-06-05 16:22:06

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Interface-base service getting http header

You can retrieve the JWT content from the threadvar of the service execution context.

Offline

Board footer

Powered by FluxBB