Services + Oauth + JWT

casivaagustin's picture

Hello everybody, first of all I'm kind of lost here so If I'm not using the right terminology or what I'm saying have no sense please feel free to correct me, second I'm trying to get more information about this subject so any comment is really apreciated.

I'm trying to use Services with the Oauth2 Server but Using JWT.

I enabled the Services module, Created my own custom Endpoints, with no auth, worked perfectly.

I Enabled the Oauth2 Server, configured the server, the clientes, the scope. It worked.

I setted up the Oauth2 server to work with JWT, I implemented a simple function with kinda of hardcoded values to generate the assertion token (I saw the sample in the test of the module).

I was able to create a assertion token in order to get a JTW with that and make a request with Postman to request the JWT token, I did a POST to /oauth2/token with the proper headers and assertion=myGeneratedToken. I was able to get the JWT token as response, I got something like this

{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpZCI6IjY0NjQ2Y2VjYzhiOWNmODNkZWQ3ZTQwZGE1Y2Q3MzRkYmVlODAzYzAiLCJqdGkiOiI2NDY0NmNlY2M4YjljZjgzZGVkN2U0MGRhNWNkNzM0ZGJlZTgwM2MwIiwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsLWFwaS5vdWNoaWUuY29tXC8iLCJhdWQiOiJhcGkiLCJzdWIiOjIsImV4cCI6MTQ0ODQ5NTk5MCwiaWF0IjoxNDQ4NDkyMzkwLCJ0b2tlbl90eXBlIjoiYmVhcmVyIiwic2NvcGUiOiJhcGkifQ.V7vqhvxaYIGSYYFsUM1L-J73zReooKVLZ1JSaVS_ogt0ZkX3uDu_aYVnxz8sxT6RmC5JolTlg7TtxEWcOPBtky00rkGzT27LajpSvZp04kcdoP0uHUOSMqLSakSXMgN1iLEDJq-sRI5y9uzJUavZpfbM3sLZC2imvS1mPS3X2fSx1921_hvhzbs43fFgW4VNvRrprof6DHFTi2aI80ieGER6AyXHJLnqbySaXcWAYGwTD20XI0i-ma0bx4HJnvybCMnKly5_PwCEaHolvDXijcXteqsczjmpxETuiYDMTa56kKlRd3nfNtGstfNfTYj4i18Rnt7aJIOCJqgS3Sw75g",
"expires_in": "3600",
"token_type": "bearer",
"scope": "api"
}

After that I enabled the auth into one of my custom services, try to used without the token and I got the unauthorized error.

After that I tried to hit the same endpoint using the Authorization header with the token and Bum, still worked, got my results.

Until here everything seems to work fine, but I'm kinda confuse and I have these questions.

How can I identify which is the user that have the token and is using it in the request ?

How can I involve an Authentication mechanism here (something to validate that the user is somebody valid like using the username and password).

Since JTW don't save anything in the server (like sessions does), Where I have to save the sensitive information ?

I saw doing a little of google some samples for Node where the endpoint request by an username and password and the return is the JWT Token to be used, Oauth2 Server Module does something like that ? Is a good idea to do that ?

I think that is all for now, Don't want to extend the post too much.

Thanks in advance to all.

Services

Group organizers

Group categories

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week