Interface-base service getting http header

JuanTTL · 2017-05-29 13:46:27

http://blog.synopse.info/post/2016/12/1 … -%28JWT%29

in above post, it said "...Integration with method-based services is easy, using Ctxt.AuthenticationCheck method". I'd like to implement JWT by interface-base service instead. Is it possible to read http-header context , say bearer jwttoken? if yes, how to do it or other advice/sample?

ab · 2017-05-29 13:50:19

You can set TSQLRestServer.JWTForUnauthenticatedRequest, as such:

    fRestServer.JWTForUnauthenticatedRequest := TJWTHS256.Create(
      aPasswordPlain, aPasswordPlainRounds, [jrcExpirationTime,jrcNotBefore], [], 15);

JuanTTL · 2017-05-31 10:10:11

In normal scenario, user call interface-base service for auth , say Login(userName, password) : TNotifyAuthenticationFailedReason. But how can interface service set a value back to RestServer as your advice?

Or mormot do not suggest implement JWT in interface-base service?

ab · 2017-05-31 11:57:41

Usually, you retrieve the JWT token from another dedicated service and server.
For instance, this is how OAuth2 works.

Among benefits:
- the main service does not know anything about the authorization rights and passwords: it just validates a JWT for a given audience/resource from its known secret
- the authentication service can focus on the authorization process, and the main service on its own business (MicroService architecture: each service has its own storage)
- you can avoid DOS attack on your main service by rejecting most requests sooner
- you can use a load-balancer if the authentication service is used also as a catalog
- you can test a production service by providing a fake authentication server

JuanTTL · 2017-06-01 08:09:28

noted your advice. :-)

BTW, we are using "TjwtContent.compute" to generate custom payload, do it support nested object? in fact, we'd like to place a serialized JSONobject record into payload. Any advice?

ab · 2017-06-01 09:21:28

Just store a TDocVariant object (using _JsonFast or _ObjFast functions) within the DataNameValue parameter of the Compute() method.
Then you will retrieve the object decoded in the TJWTContent.data field, on consumer side.

Ensure the object field names don't match standard JWT fields, otherwise the custom value may be overridden by the engine.

keinn · 2017-06-05 07:15:24

it is a little painful to use jwt by such.

ab · 2017-06-05 16:22:06

You can retrieve the JWT content from the threadvar of the service execution context.

mORMot Open Source

#1 2017-05-29 13:46:27

Interface-base service getting http header

#2 2017-05-29 13:50:19

Re: Interface-base service getting http header

#3 2017-05-31 10:10:11

Re: Interface-base service getting http header

#4 2017-05-31 11:57:41

Re: Interface-base service getting http header

#5 2017-06-01 08:09:28

Re: Interface-base service getting http header

#6 2017-06-01 09:21:28

Re: Interface-base service getting http header

#7 2017-06-05 07:15:24

Re: Interface-base service getting http header

#8 2017-06-05 16:22:06

Re: Interface-base service getting http header

Board footer