Bearer authentication

Question

Bearer authentication

viniciussanchez opened this issue 5 years ago · comments

Hi, I would like to know why to request a JWt token, do I have to use the POST method? And why did you create custom headers, being the default and using header authorization? If I make the settings to leave the API according to the Web standard, will you accept the pull request?

David Moorhouse · Answer 1 · Fri Jul 19 2019 13:41:21 GMT+0800 (China Standard Time)

Which flow are you using ?

E.g. https://auth0.com/docs/api-auth/which-oauth-flow-to-use

Vinicius Sanchez · Answer 2 · Fri Jul 19 2019 19:16:11 GMT+0800 (China Standard Time)

I have a server using DMVC, where it is responsible for receiving the user and password and generating the JWT token.
The DMVC is forcing me to use custom headers as long as header authorization already exists for this as a default. The DMVC is also forcing me to request my token through the POST method on how much it should be GET since I am not passing anything on the request body.

On the server that will be authenticated by JWT, it is also wrong. It forces me to pass the token on the Authenticate header as long as the default is the Authorization header. And the DMVC is still validating the header content as follows: "bearer dgasdkghdaskfghfasdf", while the default is "Bearer askfgsdkfghjkfalsdfglfkj"

Vinicius Sanchez · Answer 3 · Fri Jul 19 2019 19:21:39 GMT+0800 (China Standard Time)

See more:
https://jwt.io/introduction/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization

Vinicius Sanchez · Answer 4 · Fri Jul 19 2019 19:22:23 GMT+0800 (China Standard Time)

I can adjust and perform the pull request if I can ...

João Antônio Duarte · Answer 5 · Fri Jul 19 2019 19:48:00 GMT+0800 (China Standard Time)

You can define the name of your header when creating JWT middleware.

FEngine.AddMiddleware(TMVCJWTAuthenticationMiddleware.Create(
      TAuthenticationController.Create,
      LClaimsSetup,
      'MySecret', { Secret }
      '/api/login',
      [TJWTCheckableClaim.ExpirationTime, TJWTCheckableClaim.NotBefore, TJWTCheckableClaim.IssuedAt],
      300,
      'Authorization', { Header token }
      'username',      { Header UserName }
      'password'       { Header Password }
    ));

Vinicius Sanchez · Answer 6 · Fri Jul 19 2019 19:52:15 GMT+0800 (China Standard Time)

Yes I Can! But why define a name being that a pattern already exists?
And still, it still has several differences, as said the word Bearer locked with lowercase letter, the method forcing to be POST, I still have to set the user headers and password and there is already a default for this.

Vinicius Sanchez · Answer 7 · Fri Jul 19 2019 19:52:52 GMT+0800 (China Standard Time)

The Horse for example follows the correct pattern.

Vinicius Sanchez · Answer 8 · Fri Jul 19 2019 20:43:16 GMT+0800 (China Standard Time)

See more in (RFC 6750):
https://tools.ietf.org/html/rfc6750#section-2.1

Daniele Teti · Answer 9 · Fri Jul 19 2019 22:58:59 GMT+0800 (China Standard Time)

Thanl you for your notes @viniciussanchez .
Your PR will be appreciated.