You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2023-08-02 20:46:17
- mrbar2000
- Member
- From: Brazil
- Registered: 2016-10-26
- Posts: 58
Anyone has a JWT Authentication scheme
I see some posts on group about jwt. for sample:
1. https://synopse.info/forum/viewtopic.php?id=4840
but i have some problems with retrieve session, release session, etc..?
the implementation create 1 session to each request, when should be by user (TAuthSession.AuthUser).
I need refreshtoken too.
Anyone has a more complete implementation?
Anyone can help us?
Offline
#2 2023-08-03 07:10:38
Re: Anyone has a JWT Authentication scheme
Note that this third-party implementation is not supported.
We did not include such a class, because in fact, a JWT should contain the session information itself (this is how a JWT stateless session works), and not use the stateful in-memory sessions of our REST or RPC schemes.
https://stackoverflow.com/a/55887742/458259
To implement properly a JWT, you could rather use TRestServer.JwtForUnauthenticatedRequest.
Then, once authenticated, you got the JWT payload information (and any session you wish) within TRestUriContext.JwtContent.
For the renew, you may use your own service to recompute a token, as you did to return the initial token.
This is to be defined at service level, e.g. using OAuth2 or something similar, and is outside of the scope of TRestServer: currently, TRestServer does not return the initial token.
Offline
#3 Yesterday 14:13:55
- mrbar2000
- Member
- From: Brazil
- Registered: 2016-10-26
- Posts: 58
Re: Anyone has a JWT Authentication scheme
To implement properly a JWT, you could rather use TRestServer.JwtForUnauthenticatedRequest.
Then, once authenticated, you got the JWT payload information (and any session you wish) within TRestUriContext.JwtContent.
I understand that I should store any and all information I need in the JWT payload instead of using sessions. ok i doing this!
I would like to know where to store, for example, email and user id per request to be used within my classes that implement the REST endpoint.
there are some way to put this extra information into ServiceRunningContext?
Offline
#4 Yesterday 17:48:31
Re: Anyone has a JWT Authentication scheme
Then, once authenticated, you got the JWT payload information (and any session you wish) within TRestUriContext.JwtContent.
So you don't put this information in ServiceRunningContext, you have your JWT payload available in ServiceRunningContext.Request.JwtContent.
And you usually don't need any mORMot session: you are using your own authentication and authorization logic.
Offline
Pages: 1