How Can I Bind userType with jwt token??
because in the frontend needs to do some operations with type of user(hide some menus if userType is different)
in laravel.. Does it possible?
The way Laravel (and you most likely using https://github.com/tymondesigns/jwt-auth), is that the JWT should probably not carry user types or really other kind of user information than maybe a name or an id. After the token is generated, you are supposed to query another endpoint that will return the user information that you are looking for.
So essentially, what you want is 2 routes, let's say:
POST /auth/login
POST /auth/me
To the first route, you are supposed to provide the username and password, to which you'll get a token if credentials are correct. Then, you take the token you were just given, and call the second endpoint, which will return all user information you might want or need. You don't specify which kind of frontend you are using, but here's an example with Nuxt.js's Auth module: https://auth.nuxtjs.org/providers/laravel-jwt/
Related
I am playing around with building a custom Oauth2/OpenID library, and is having thoughts about validating the tokens.
I am using only JWT for all token types (Access, Refresh & ID), but I am thinking; How would the resource server validate ex. the access token, and make sure it is only access tokens from the issuer being accepted, and not refresh or ID tokens, since they would also be valid, hence they come from the same trusted issuer?
Likewise, how would make sure, the token sent with a refresh grant, is not just an valid access token, since it would also be verified...
I know an easy fix would be just making a custom claim, describing what kind of token it is, or using different signatures for each, but is there a "right" way of doing it?
One way to separate the ID token from the Access token is by looking at the typ claim in the JWT-header.
Some IdentityProviders uses the at+jwt typ to indicate that the token is an access token that follows certain rules. But this is not a mandatory thing to follow.
{
"typ":"at+JWT",
"alg":"RS256",
"kid":"RjEwOwOA"
}
Otherwise they can look at the claims inside the token to determine if it is an access or ID-token. The token-signature itself can't be used to determine the token type.
You can read more about the standard for access token here and here
Refresh and reference tokens are typically not in a JWT format, instead they are more like a random string.
How to use token guard to create API? I tried it to implement it and I am getting error
call_user_func_array() expects parameter 1 to be a valid callback,
class 'Illuminate\Auth\TokenGuard' does not have a method 'attempt'
After dig into the source code of laravel, I found that the token guard is useless for now. All auth are passed to auth middleware, from there, you can see that it called Auth::guard($name)->guest() to check whether the user is logged in. The \Auth::guard will get the proper guard that you specified in route. Let's say here is the TokenGuard. In \Illuminate\Auth\TokenGuard, check the user function to see how TokenGuard get a user. First, it will get the input parameter named api_token. Then it will let the provider which may be eloquent as the default configuration to search a value in the database. If any value is found, a new user instance is created. If there is not a input value named api_token, then some other choices will be tried:
bearerToken, which the Authorization HTTP header value that starts with: bearer.
password, which passed through HTTP header: PHP_AUTH_PW.
which key to match in the model is specified by the protected property storageKey.
So the token guard is used to implemented third-party API access token, not a temporary access token that is stored in the session.
I have implemented Token Authentication with django rest framework and I can post username and password to /api-token-auth/ and get the token.
url(r'^api-token-auth/', token_views.obtain_auth_token)
In addition to the token, I want to get the User object related to the returned token.
How can I override/add to this view and also return the actual User object?
You can find the relevant view here:
https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/authtoken/views.py#L21
Assuming you've created some sort of User serializer already, you can basically take the user instance there and shove it into your UserSerializer. then add it to the response, something like the below.
...
user_serializer = UserSerializer(user)
return Response({'token': token.key, 'user': user_serializer.data})
I know those token spring generates a UUID formatted string. One of my concerns is that it's not really "unique"; it is possible for the UUID to create a token exactly the same as a previous one (of course the odds are VERY small but still possible).
I'm using a database to store my user's token and I'm not sure if Spring checks if the token already exists before creating one in the database?
My second question is : Is it possible to create my own token instead of the UUID format, I'd like to have a more "unique" token like the current timestamp with the user's ID and username and then hash everything and that will be my token instead of 49784c38-43b1-.....
I already have a custom TokenEnhancer that I use to add custom info when returning the token to the client but how can I create a custom token before saving it in my database?
Thanks for you help!
Your TokenEnhancer can use any format it likes for the token value. The custom value will be the one that goes in the ToeknStore (that is the prupose of a TokenEnhancer).
P.S. If you think there might be a clash between UUIDs I think you probably need to do some maths and think again.
When my authentication handler passes successfully (userId is taken from decrypted token) I want to add the userId somewhere to the current request object.
Later in the pipeline when the user is authenticated the authorization is executed and here I need the userId again because I have to disallow authenticated users manipulating data from other users having a certain userId.
What would be the best way to save temporarely the userId? Should I misuse the request.headers to add there the userId?
cmon Darrel...please don't re-invent the wheel ;)
The authentication handler outcome should be a ClaimsPrincipal (set it on HttpAuthenticationContext.Principal).
This way you make the user id available to an authorization filter - as well as ApiController.User.
HttpRequestMesssage.Properties. It is a dictionary designed for storing request scoped data.