JWT, OnAuthentificationFailed, and interface services

dcoun · 2022-12-01 18:34:47

I am using a TRestHttpClientWinHttp to call inteface services in a Mormot2 server and I am not using sessions.
As far as I can understand, Mormot2 does not support JWT by internal design. There is no TRestClientAuthentication for JWTs.
In the server, I am checking if JWT header exists and if it is valid in each interface call

In the client, is it possible to use OnAuthentificationFailed event to refresh the expired JWT that the client should send in each interface call?

If I implement a timer based renew function running in the background, how can I protect the client from accessing the SessionHttpHeader during the timeframe it is set by the renew function?

Edit:
Is there an OnCall event that runs before a service inteface call is made by a TRestHttpClientWinHttp ? I noticed that SessionHttpHeader is added to headers once before the loop of OnAuthentificationFailed

Thank you in advance

Last edited by dcoun (2022-12-02 07:37:56)

ab · 2022-12-02 08:10:43

You can use JWT on the server side, not part of the authentication classes, but as a TRestServer.JwtForUnauthenticatedRequest.
Within the service, you can access the JWT content using TRestServerUriContext.JwtContent field.

Then supply the JWT as part of the client as regular bearer in TRestClientUri.SessionHttpHeader.

See https://synopse.info/forum/viewtopic.ph … 454#p25454
and https://synopse.info/forum/viewtopic.php?id=4840
and https://synopse.info/forum/viewtopic.php?id=6336

dcoun · 2022-12-02 08:19:06

Thank you @ab, I have already searched the above forum threads.
I have already created the server side implementation and it works OK
My problem now is the client. From the above links probably you mean the https://synopse.info/forum/viewtopic.ph … 051#p30051 but it is besed on sessions as far as I can understand
Do you propose a solution without sessions?

ab · 2022-12-02 11:31:26

Just try to set TRestClientUri.SessionHttpHeader

It is used by sessions, but may be used without sessions IIRC.

dcoun · 2022-12-02 11:47:37

using OnAuthentificationFailed with result (true/false) and changing TRestClientUri.SessionHttpHeader it does not work
Also, SessionHttpHeader is added to headers once before the loop of OnAuthentificationFailed

ab · 2022-12-02 15:36:16

You are right.

I hope https://github.com/synopse/mORMot2/commit/244fe0e5 could help.

Thanks for the feedback.

dcoun · 2022-12-03 06:44:25

Thank you a lot @ab. It works perfectly now with the JWTs from the client side.

mORMot Open Source

#1 2022-12-01 18:34:47

JWT, OnAuthentificationFailed, and interface services

#2 2022-12-02 08:10:43

Re: JWT, OnAuthentificationFailed, and interface services

#3 2022-12-02 08:19:06

Re: JWT, OnAuthentificationFailed, and interface services

#4 2022-12-02 11:31:26

Re: JWT, OnAuthentificationFailed, and interface services

#5 2022-12-02 11:47:37

Re: JWT, OnAuthentificationFailed, and interface services

#6 2022-12-02 15:36:16

Re: JWT, OnAuthentificationFailed, and interface services

#7 2022-12-03 06:44:25

Re: JWT, OnAuthentificationFailed, and interface services

Board footer