#1 2023-08-02 20:46:17

mrbar2000
Member
From: Brazil
Registered: 2016-10-26
Posts: 89

Anyone has a JWT Authentication scheme

I see some posts on group about jwt. for sample:
1. https://synopse.info/forum/viewtopic.php?id=4840

but i have some problems with retrieve session, release session, etc..?
the implementation create 1 session to each request, when should be by user (TAuthSession.AuthUser).
I need refreshtoken too.
Anyone has a more complete implementation?
Anyone can help us?

Offline

#2 2023-08-03 07:10:38

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: Anyone has a JWT Authentication scheme

Note that this third-party implementation is not supported.
We did not include such a class, because in fact, a JWT should contain the session information itself (this is how a JWT stateless session works), and not use the stateful in-memory sessions of our REST or RPC schemes.
https://stackoverflow.com/a/55887742/458259

To implement properly a JWT, you could rather use TRestServer.JwtForUnauthenticatedRequest.
Then, once authenticated, you got the JWT payload information (and any session you wish) within TRestUriContext.JwtContent.

For the renew, you may use your own service to recompute a token, as you did to return the initial token.
This is to be defined at service level, e.g. using OAuth2 or something similar, and is outside of the scope of TRestServer: currently, TRestServer does not return the initial token.

Offline

#3 2024-05-04 14:13:55

mrbar2000
Member
From: Brazil
Registered: 2016-10-26
Posts: 89

Re: Anyone has a JWT Authentication scheme

Arnold wrote:

To implement properly a JWT, you could rather use TRestServer.JwtForUnauthenticatedRequest.
Then, once authenticated, you got the JWT payload information (and any session you wish) within TRestUriContext.JwtContent.

I understand that I should store any and all information I need in the JWT payload instead of using sessions. ok i doing this!
I would like to know where to store, for example, email and user id per request to be used within my classes that implement the REST endpoint.

there are some way to put this extra information into ServiceRunningContext?

Offline

#4 2024-05-04 17:48:31

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: Anyone has a JWT Authentication scheme

ab wrote:

Then, once authenticated, you got the JWT payload information (and any session you wish) within TRestUriContext.JwtContent.

So you don't put this information in ServiceRunningContext, you have your JWT payload available in ServiceRunningContext.Request.JwtContent.
And you usually don't need any mORMot session: you are using your own authentication and authorization logic.

Offline

Board footer

Powered by FluxBB