Level 7
Are you familiar with the OAuth2/OpenID Connect workflow? It answers most of your questions but maybe a bit more involved than using JWTs straight out of the box/package.
Jun 21, 2016
5
Level 1
JWT Usage - First timer
Hi Guys,
I am implementing JWT tokens into one of my projects for the first time, using: https://github.com/tymondesigns/jwt-auth All is going well on the Laravel integration part, but I am looking for some opinions / advise on how to implement this on the consumer side.
My API will be consumed by various other CMS'es (Wordpress, Drupal, some custom work etc etc). Now, how do I handle the JWT tokens, once I receive it from the API, when considering the following scenarios:
-
User login: Do I request a new token on each login? Or do I store the token on the consumer side and first validate if the token that is currently saved there is still valid?
-
User Profile: The users' profile is stored on the API side. So if a users wants to change his profile, do I request a new token for this or do I try to re-use (if still valid) a previous token?
-
How do I handle the request of a new token? For example: A user logs in and is doing some stuff on the consumer side (that does not require the token) and then want to change his profile information (that DOES require a valid token), but the token expired in the mean time. Do we ask the user to re-authenticate itself, in orde to receive a new token or...?
If any additional clarification is needed, please do not hesitate to tell me.
Many thanks in advance.
Level 1
HI @primordial
What do you mean by
but maybe a bit more involved than using JWTs straight out of the box/package
No, i am not familiar with that workflow. Would you happen to have some good resources on this?
Many thanks
Level 7
Not a quickie you are tackling a notable subject but there are lots of Laravel resources
Level 1
Hi @primordial and any others to whom it might concern. I have finished the first draft of my implementation and would like to share it here to get some feedback.
Some information in advance: I am using Sentinel instead of Auth and I am using tymons JWTAuth package.
Here goes:
I have defined a route that generates a token, based on the user like so
public function authenticate(AuthenticationRequest $request) {
if ($user = Sentinel::authenticate($request->toArray())) {
$token = JWTAuth::fromUser($user);
return response()->json(['token' => $token], 200);
}
else {
return response()->json('Access Denied', 403);
}
}
I have another route to access a 'restricted' resource. To this route, I have applied custom middleware like so:
public function handle($request, Closure $next)
{
/**
* Custom middleware that performs the following actions:
* - Grab the token
* - Refresh the token (if still within refresh window)
* - Grab the payload, based on the token
* - Add the uuid of the user to the Request object (so we can grab the user in the controller)
* - Add the new, refreshed token to the request so that we can return that in the json response
*/
if (($token = JWTAuth::getToken()) && ($token = JWTAuth::refresh($token))
&& ($uuid = JWTAuth::getPayload($token)->get('sub'))) {
$request->request->add(['uuid' => $uuid]);
$request->request->add(['new_token' => $token]);
return $next($request);
}
}
Then finally in my controller I return the restricted resources (the user profile in this case) like so:
public function show(Request $request) {
$user = User::where('uuid', '=', $request->get('uuid'))->first();
$new_token = $request->get('new_token');
return response()->json($user, 200)->header('Authentication' , 'Bearer '.$new_token);
}
Currently i am using a POST request to the show() method, but maybe this could just as well be a GET request I suppose...?
I am open for all suggestions for improvement.
As a final note:
My approach here is to have a limited validity of each token (for example 1 hour, which is the default) and a limited window for refresh (24hours for example). As long as the token is expired BUT within the window for refresh, we will automatically deliver a new token. If the window for refresh has expired, the user will have to re-auth.
Many thanks in advance.
[EDIT] @tymondesigns , I hope that you dont mind me pinging you here directly, but since i am implementing your package, i would love to get your input on this as well.
Final Question: I would like to use RSA+SHA256 or RSA+SHA512 or ECDSA+SHA256 or ECDSA+SHA256. When looking at the jwt.php file this should be possible, correct? However i cannot really find any docu on how to set this up.
Many thanks again all!
Level 1
ping? :)
Please or to participate in this conversation.