JWT and SOA : AllowAllByID, ....

ehkhalid · 2018-05-18 09:14:37

Hi,
I'm planning to use JWT for authentication in my project, i use interface based service, there is a way to use allowAllByID/DenyAllByID with JWT (without session) ?

Thank a lot for the framework and your help.

Regards.

ab · 2018-05-18 09:29:30

Yes, you can do this directly at TSQLRestServer level, assigning a JWT instance to the JWTForUnauthenticatedRequest property.

Then add the corresponding JWT on the client side, using TSQLRestClientURI.SessionHttpHeader to setup the authorization header.

ehkhalid · 2018-05-18 09:48:12

Thank you for your quick answer, client will be ajax, so it ll send token in the authorization header,

I used JWTForUnauthenticatedRequest to validate token, it work fine, but how can I in the server side get the user group from the token, and then call AllowAllByID (in the code of mormot, i saw that the AllowAllByID validate the groupID from the session) !

ehkhalid · 2018-05-20 11:13:39

Hi AB,
Finally i updated mormot source as the TSQLRestClientURI.SessionHttpHeader was protected, but in the last source, it's public now, so i createde a small client app to test jwt, and i got an error that claim was missing, but my token contain the claim, after looking at the code of jwt validation, the following condition seem to be inverted !

  if claims-JWT.claims<>[] then
    JWT.result := jwtMissingClaim else begin
    SetString(headpayload,tok,payloadend-1);
    JWT.result := jwtValid;
  end;

Can you please advise me how to use AllowAllByID with jwt ? i mean as i didn't use session, how can i reject request if the sender is not allowed to access to an interface service ? using OnBeforeURI ?

Regards.

Last edited by ehkhalid (2018-05-20 11:20:00)

ab · 2018-05-21 09:28:25

Yes... the logic was inverted!
See https://synopse.info/fossil/info/78c07d14f5

If the server is complaining that claim is missing, then the problem is that there is a missing claim on your client side.

Then, the JWTForUnauthenticatedRequest property is global for all kind of server-side process (ORM, Methods, Interfaces...).
There is no way to tune the authentication at a lower level.
Currently, the user information is not extracted from the JWT, only from a valid mORMot session...

What we do in such case is (either one or both):
- In OnBeforeURI, validates the JWT and the URI itself (possibly according the the JWT) - we usually do this, behind a nginx reverse proxy, on public servers which may suffer from severe DoS attacks
- In the interface-based service or the method-based service, retrieve the detailed information from the current TSQLRestServerURIContext.JWTContent field, then handle authorization.
Usually, we don't use the TSQLAuthUser with JWT, but an external user registration service, e.g. OAuth2-based, then put the needed authorization flags in the JWT.

ehkhalid · 2018-05-21 11:48:00

Thanks for the quick fix, the final solution i implemeted yesteray was exactly what you described, after all it's very easy to check the jwt and authorization in the oneBeforeURI event,

all is working fine now.

There is a way to disable all default method service URI , i mean Root/tablename/ ? i want to use only interface based service, so for now, i used this code in the onBeforeUri event to disable method URI :

  if Ctxt.Command<>execSOAByInterface then
    Ctxt.Error('Method services are not allowed',[403])

ab · 2018-05-21 12:06:59

After some more investigation, the previous implementation was correct.

if claims-JWT.claims<>[] then
    JWT.result := jwtMissingClaim

is exactly what is expected.

The required claims are

claims = fClaims - excluded

and the found claims are

JWT.claims

so the expression WAS correct.

I need to revert the previous fix.
See https://synopse.info/fossil/info/2effba3e23
Please check your code: there should be something wrong on your client code: some missing claims in the client JWT.

ehkhalid · 2018-05-21 13:34:28

You're right, the expression is OK, i found the issue, i create the JWTForUnauthenticatedRequest like this :

 aRestServer.JWTForUnauthenticatedRequest := TJWTHS256.Create('1234567890',0,[jrcSubject],[],60);

and my token contain only the "sub" claim, so in theory there is no missing claim, but as i specified an expiration time in the constructor (60 minutes), the code behavior (TjwAbstract) add automatically the claim expiration time, that's why the error occur.

Thank for your help and sorry for this.

Last edited by ehkhalid (2018-05-21 13:34:59)

Junior/RO · 2018-05-21 16:13:46

We have a example of this?

koraycayiroglu · 2018-12-20 12:41:38

Can we have a working example of this, please.

mORMot Open Source

#1 2018-05-18 09:14:37

JWT and SOA : AllowAllByID, ....

#2 2018-05-18 09:29:30

Re: JWT and SOA : AllowAllByID, ....

#3 2018-05-18 09:48:12

Re: JWT and SOA : AllowAllByID, ....

#4 2018-05-20 11:13:39

Re: JWT and SOA : AllowAllByID, ....

#5 2018-05-21 09:28:25

Re: JWT and SOA : AllowAllByID, ....

#6 2018-05-21 11:48:00

Re: JWT and SOA : AllowAllByID, ....

#7 2018-05-21 12:06:59

Re: JWT and SOA : AllowAllByID, ....

#8 2018-05-21 13:34:28

Re: JWT and SOA : AllowAllByID, ....

#9 2018-05-21 16:13:46

Re: JWT and SOA : AllowAllByID, ....

#10 2018-12-20 12:41:38

Re: JWT and SOA : AllowAllByID, ....

Board footer