I am trying to use the Opentok REST API with JWT to generate a video session token. I am using the following credentials to create the JWT following the JSONWebToken documentation at https://github.com/kylef/JSONWebToken.swift. I have used the generated token for authorisation ..
Related
Referencing video: https://www.youtube.com/watch?v=ebwN2HWpDQA
Environment: Node.js
In the video they show how to get an access_token using the JWT. Documentation says the lifetime of the access_token can only be 1 hour so what do we do once the token expires? Can we simply use the JWT again with an updated date-time in UNIX epoch format for the iat and exp values to get a new access_token?
If I do update the iat and exp I get the following error
{
"error": "invalid_grant",
"error_description": "no_valid_keys_or_signatures"
}
How should we get a new access token?
When an access token expires, you will need to generate a new JWT assertion, sign it, and use it to request a new access token.
Reusing the old assertion with modified IAT and EXP values won't work without also generating a new signature using your RSA Private Key.
I am working on jwt authentication based projects and I want to store the token which is created on user 's login request but this token can be decoded easily so where I have to store these token ?
//code to create token and cookie
const createToken=(id)=>{
return jwt.sign({id},secretkey);}
{....some code are written here.....}
const token= createToken(userid);
res.cookie('jwts',token,{httpOnly:true,maxAge:1000*60*60,sameSite:'lax'})
From your question, it feels like your JWT flow isn't clear. The token can be decoded - but it will only reveal some payload data and header - which doesn't contain any sensitive data.
Token's generation and explanation:
A JWT Token is formed of Header, Payload & Signature.
The header is metadata about the token itself.
The payload can be encoded in the token, i.e. the data e.g. user's Id.
Signature is created using header, payload, & the SECRET stored at the server. This process is called Signing. This 'SECRET' is what helps us to validate the signature's authenticity.
Well, so how do we make sure the data isn't modified?
A verification process is done at the server where JWT's header, payload, and secret are used to create a test signature. This signature is matched with the original signature (existing inside the JWT already) - then the data has not been modified.
Without secret - no one can manipulate JWT. That is, the verification will fail if the signatures do not match.
Token Storage:
There is some debate about whether to store the token in cookies or local-storage since both are prone to hacker attacks.
Login Flow:
The client sends a request to the server (POST - login).
The server validates the user and returns a JWT token in response if the provided credentials are valid.
The JWT token is stored in localStorage / cookies depending on the preferred choice (I prefer localStorage).
you need to send that token along with the API requests from client. I used to store in clients internal storage and used to send that token for each and every API call.
We are using Azure active directory Oauth code flow to authenticate the user.
We got the access_token, id_token and refresh_token using code(got it on redirect URL).
We are using id_token to authorization each request after successful authentication and we can verify JWT using the public key which we got from /discovery/v2.0/keys api.
Now, JWT will expire after 1 hour. so we need to refresh this id_token.
I am refreshing id_token using below cURL
curl --request POST \
--url https://login.microsoftonline.com/{tenant_id}/oauth2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'client_id=client%20id&refresh_token=refesh%20token%20&grant_type=refresh_token&client_secret=client_secret&scope=openid
In the response of this API, we got the access_token, refresh_token, id_token, but if you observe id_token, it does not contain JWT signature (the third part of JWT), without signature we can not verify JWT
We can not find any document reference why id_token is not having a signature part.
Is there any other way to refresh id_token?
Is there any workaround if id_token can not be refreshed?
In some cases an Id token may be returned without a signature, especially if it is acquired through a back-channel with a client secret.
You already are getting the token through an encrypted channel, from the authority.
If someone was able to inject something there, they would be able to direct your app's requests for OpenID metadata as well, replacing the signing keys your app expects.
Thus the signature would not add much value here.
In addition, you won't send the Id token to any API as Id tokens should not be used for authorization.
That's what access tokens are for :)
The OpenID Connect spec has this to say: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer.
But then, interestingly mentions this as well: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
ID Tokens MUST be signed using JWS and optionally both signed and then encrypted using JWS and JWE respectively, thereby providing authentication, integrity, non-repudiation, and optionally, confidentiality, per Section 16.14. If the ID Token is encrypted, it MUST be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. ID Tokens MUST NOT use none as the alg value unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow) and the Client explicitly requested the use of none at Registration time.
So.. it could be that Azure AD is not compliant with spec?
EDIT: The v1 endpoint of Azure AD is not compliant in this regard. The newer v2 endpoint is fully OpenID Connect compliant.
I am using azure active directory OAuth for azure bot authentication.After logged in I got the token successfully, but how can I get the user details based on the token?
So, Is there is any way to parse the azure token in node.js and get the details about the user?
Basically the token you get is a JWT token base64 encoded. You can use a node package like jwtDecode to decode the contents of the token and get the claims.
You can do something like:
import jwtDecode from 'jwt-decode';
const claims = jwtDecode('base64 encoded token received from Azure AD');
claims will be a JavaScript object.
I use ion auth for user authentication.
how to make JWT token in codeigniter.
send username and password and get token and refresh token.
in default ion auth don't support JWT
but the solution:
1- edit ion_auth_model and create a function to check user and pass
2-use php jwt lib to make a token
https://github.com/firebase/php-jwt
regard