#1 2018-03-02 20:20:10

fabioxgn
Member
Registered: 2015-11-06
Posts: 34

How to use JWT token on the client side

I'm implementing JWT authentication in my project, and previously I was using a third party JWT library and storing the token on a cookie so it was transparent on the client side as the cookie was sent on every request.

Now I've replaced the JWT implementation on the server side and everything is OK.

But I can't figure out how to send the token back to the server after I get it on the client side, right now what I have is:

- Client sends login/password to server
- Server authenticates and returns the token (string)

This is working just fine, but on the client I need to read the token payload, so what I did was something like this:

FToken := LoginService.Login(AUserName, APassword);

if TJWTAbstract.VerifyPayload(FToken, '', 'Monde', '') <> jwtValid then
    raise EValidationError.Create('Invalid Token.');

Token := TJWTHS256.Create('', 0, [], []);
try
  Token.Verify(FToken, JWT); // Is this the only way to read the payload values? 

  UserID := JWT.data.S['uid'];
finally
  Token.free;
end;

Is this the correct way to read the token's payload on the client side?

Now, how do I send the token on the Header now so the server can authenticate the client?

Last edited by fabioxgn (2018-03-02 20:22:26)

Offline

#2 2018-03-02 20:45:59

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,571
Website

Re: How to use JWT token on the client side

Answer to the second qeustion: send it in Authorization header. Authorization: Bearer base64JWTContent
See comments above TSQLRestServerURIContext.AuthenticationCheck in mORMot.pas

Offline

#3 2018-03-02 20:57:51

fabioxgn
Member
Registered: 2015-11-06
Posts: 34

Re: How to use JWT token on the client side

Figure how to send the token:

  FRestClient.SessionHttpHeader := HEADER_BEARER_UPPER + Token;

But I'm still not sure about the correct way to read the payload on the client.

Offline

#4 2018-03-03 11:58:16

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: How to use JWT token on the client side

So you want to decode the token payload on the client, without knowing the secret key?

The Verify() method can do this - even if since you don't know the secret, it will return "invalid".
Therefore, it is not the most convenient way...

I've just added a new Payload optional parameter to TJWTAbstract.VerifyPayload() so that you may be able to easily check the payload content as a TDocVariantData.
See https://synopse.info/fossil/info/3e0909f6e2

Offline

#5 2018-03-03 13:32:46

fabioxgn
Member
Registered: 2015-11-06
Posts: 34

Re: How to use JWT token on the client side

ab wrote:

So you want to decode the token payload on the client, without knowing the secret key?

The Verify() method can do this - even if since you don't know the secret, it will return "invalid".
Therefore, it is not the most convenient way...

I've just added a new Payload optional parameter to TJWTAbstract.VerifyPayload() so that you may be able to easily check the payload content as a TDocVariantData.
See https://synopse.info/fossil/info/3e0909f6e2

Exactly, I store some info which interests the client on the payload. The VerifyPayload() is now perfect. Thanks.

Offline

#6 2018-03-03 14:33:14

fabioxgn
Member
Registered: 2015-11-06
Posts: 34

Re: How to use JWT token on the client side

ab, don't know if you already noticed but now the SynCrypto unit has a hint:

SynCrypto.pas(14221) Hint: H2443 Inline function '_Json' has not been expanded because unit 'System.Variants' is not specified in USES list

Offline

#7 2018-03-03 19:06:03

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: How to use JWT token on the client side

Offline

#8 2018-03-05 18:20:25

fabioxgn
Member
Registered: 2015-11-06
Posts: 34

Re: How to use JWT token on the client side

ab, one last question, is this the correct way to read the payload?

var
  Payload: Variant;
  Data: TDocVariantData;
begin
  if TJWTAbstract.VerifyPayload(Token, '', 'mormot', '', nil, nil, @Payload) <> jwtValid then
    raise EError.Create('Invalid token');

  Data := TDocVariantData(Payload);

  Value := Data.S['key'];

Offline

#9 2018-03-05 19:43:56

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: How to use JWT token on the client side

or safer

var Data: PDocVariantData;
....
  Data := _Safe(Payload);

Offline

Board footer

Powered by FluxBB