You are not logged in.
Pages: 1
http://blog.synopse.info/post/2016/12/1 … -%28JWT%29
in above post, it said "...Integration with method-based services is easy, using Ctxt.AuthenticationCheck method". I'd like to implement JWT by interface-base service instead. Is it possible to read http-header context , say bearer jwttoken? if yes, how to do it or other advice/sample?
Offline
You can set TSQLRestServer.JWTForUnauthenticatedRequest, as such:
fRestServer.JWTForUnauthenticatedRequest := TJWTHS256.Create(
aPasswordPlain, aPasswordPlainRounds, [jrcExpirationTime,jrcNotBefore], [], 15);
Online
In normal scenario, user call interface-base service for auth , say Login(userName, password) : TNotifyAuthenticationFailedReason. But how can interface service set a value back to RestServer as your advice?
Or mormot do not suggest implement JWT in interface-base service?
Offline
Usually, you retrieve the JWT token from another dedicated service and server.
For instance, this is how OAuth2 works.
Among benefits:
- the main service does not know anything about the authorization rights and passwords: it just validates a JWT for a given audience/resource from its known secret
- the authentication service can focus on the authorization process, and the main service on its own business (MicroService architecture: each service has its own storage)
- you can avoid DOS attack on your main service by rejecting most requests sooner
- you can use a load-balancer if the authentication service is used also as a catalog
- you can test a production service by providing a fake authentication server
Online
noted your advice. :-)
BTW, we are using "TjwtContent.compute" to generate custom payload, do it support nested object? in fact, we'd like to place a serialized JSONobject record into payload. Any advice?
Offline
Just store a TDocVariant object (using _JsonFast or _ObjFast functions) within the DataNameValue parameter of the Compute() method.
Then you will retrieve the object decoded in the TJWTContent.data field, on consumer side.
Ensure the object field names don't match standard JWT fields, otherwise the custom value may be overridden by the engine.
Online
it is a little painful to use jwt by such.
Offline
Pages: 1