FAQ Database Discussion Community


Using JWT with Active Directory authentication in NodeJS backend

node.js,security,authentication,active-directory,jwt
I am building an intranet web application consisting of an Angular frontend and a Node.JS backend. The application needs to use the corporate Active Directory for authentication and authorization. I'm considering how to best implement this in a secure way. I am planning to use the Active Directory node module...

jsonwebtoken doesn't expire

node.js,passport.js,jwt,json-web-token
I'm using jsonwebtoken package for node.js: Creating the token like that: var token = jwt.sign(user, tokenSecret, {expiresInMinutes: 1}); Verifying like that: jwt.verify(token, tokenSecret, function(err, decoded) { if(err) return done(new Error('Invalid authentication!')); if(!decoded) return done(null, false); return done(null, decoded, { scope: 'all'}); }); However my token never expires (I waited some...

Protractor testing, access and modify Window object properties

javascript,angularjs,protractor,jwt,satellizer
I'm trying to write a simple e2e test for the authentication we use in our project, Authentication is based on a json web token which is set into window.localStorage.satellizer_token . To set it i use the code below, but for what i see it doesn't really set the real localStorage...

Is using a SSO Assertion (JWT or SAML) For OAuth Assertion Flow Common?

oauth,oauth-2.0,single-sign-on,saml,jwt
I'm working on a set of systems that are exposing REST APIs that are authenticated using OAuth 2. Various of these systems have their own indpendant sets of user accounts, there is no common notion of a user identifier across all the systems. For interactive usage we already have a...

SailsJS - using sails.io.js with JWT

socket.io,sails.js,jwt,express-jwt
I have implemented an AngularJS app, communicating with Sails backend through websockets, using sails.io.js. Since the backend is basically a pure API and will be connected to from other apps as well, I'm trying to disable sessions completely and use JWT. I have set up express-jwt and can use regular...

Why is my spring boot stateless filter being called twice?

rest,spring-security,spring-boot,restful-authentication,jwt
I'm trying to implement stateless token-based authentication on a rest api I've developed using Spring Boot. The idea is that the client includes a JWT token with any request, and a filter extracts this from the request, and sets up the SecurityContext with a relevant Authentication object based on the...

Decode JWT encoded string from Google in PHP

php,google-oauth,jwt
I am upgrading my Google based login system, which requires me to decode id_token strings supplied by Google. The strings are valid, and I can decode them via: https://developers.google.com/wallet/digital/docs/jwtdecoder But I want my server to do this on the fly in PHP. I found both: https://github.com/firebase/php-jwt/tree/master and https://github.com/luciferous/jwt But I...

Django rest framework, JWT and request.session

django,session,session-variables,django-rest-framework,jwt
I use Django rest framework with JWT for authentication and everything works perfectly BUT... I need to save an information about the user in a session var at login and I really don't know where I can do the request.session['mydata'] = plop I tried : def jwt_response_payload_handler(token, user=None, request=None): serializedUser...

How JSON Web Tokens work? Not sure what is different from cookies

security,cookies,login,token,jwt
When using cookies they are stored on the server and compared to the ones coming in the request from a client. What are the JWTs compared to? are they being decoded into their components?

HMAC + SHA256 jwt secret length

hash,cryptography,jwt
I will be signing a token with SHA256 and I am wondering on the length of the secret I should put. Does having a secret key length over 256 bits have any benefits if I am using sha256. So if my key is 300 bits long is this more secure?

How to use jti claim in a JWT

node.js,rest,express,restful-authentication,jwt
The JWT spec mentions a jti claim which allegedly can be used as a nonce to prevent replay attacks: The jti (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the...

Type Error when using JwtSessionHandler - dart

types,dart,jwt
I have a problem with the dart types when using the JwtSessionHandler. I wanted to integrate user authentication and sessions using this example application from the shelf_auth git repository as a guide. Unfortunately I get an error when running the application (no syntax errors are detected before running the application)...

Invalid localhost origin when use Linkedin javascript authentication

javascript,firebase,ionic-framework,jwt,auth0
Just a follow-up from this question: Linkedin authentication using auth0 Firebase and Ionic I am trying a combination of auth0, Firebase, Ionic, Linkedin. I got this error after the popup appears and I clicked login: There was an error logging in Error: error: invalid origin: http://localhost:8100 {stack: (...), message: "error:...

Standalone Spring OAuth2 JWT Authorization Server + CORS

spring-security,cors,jwt,spring-security-oauth2
So I have the following Authorization Server condensed from this example from Dave Syer @SpringBootApplication public class AuthserverApplication { public static void main(String[] args) { SpringApplication.run(AuthserverApplication.class, args); } /* added later @Configuration @Order(Ordered.HIGHEST_PRECEDENCE) protected static class MyWebSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http //.csrf().disable()...

Does securing a REST application with a JWT and Basic authentication make sense?

spring-security,basic-authentication,jwt
I have a Spring REST application which at first was secured with Basic authentication. Then I added a login controller that creates a JWT JSON Web Token which is used in subsequent requests. Could I move this: tokenAuthenticationService.addTokenToResponseHeader(responseHeaders, credentialsResource.getEmail()); out of the login controller and into the security filter ?...

How to return RSA key in jwks_uri endpoint for OpenID Connect Discovery

python,google-oauth,jwt,openid-connect,openid-provider
Working on the discovery part of an OpenID Connect provider, I'm a bit confused about how to properly return my public keys. My problem is specifically with the modulus (n) and the exponent (e) values. The initial values of both are: n =...

OAuth JWT access token expiration depending on type of client

asp.net-web-api,oauth-2.0,jwt
I created a JWT token implementation based on Taiseer's tutorial. The following code was added to my Owin startup class: OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions() { AllowInsecureHttp = HttpContext.Current.IsDebuggingEnabled, TokenEndpointPath = new PathString("/oauth2/token"), AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(90), Provider = new CustomOAuthProvider(), AccessTokenFormat = new CustomJwtFormat("http://example.com/") }; Now there are different types...

LinkedIn: Exchange JSAPI token to REST's OAuth token

ruby-on-rails,oauth,token,linkedin,jwt
I'm working on a website which has the api (Ruby on Rails) and the client (Angular JS) on separated servers. As of that, I authenticate the user on the client with LinkedIn, I post the received data to the API's authentication method and I get JWT back from it. Then...

How do I remove or delete a JWT token with JWTAuth laravel package?

laravel-5,jwt
I am building a laravel 5/angular app and I am using JWTAuth to manage my tokens. Does anyone know how to remove or delete a token? I want to use it for testing, but also for log out.

JWT: What's a good secret key, and how to store it in an Node.js/Express app?

node.js,security,express,jwt,json-web-token
Firstly, what's a good method of generating a secret key? I should punch in a lot of random keys on my keyboard to generate one, but there must be a better solution to this. Explain the way to generate a very good key. Second, what's a good way to store...

Using jwt-go Library - Key is invalid or invalid type

parsing,go,token,jwt
I am trying to pass in a token to the "Parse(token String, keyFunc Keyfunc)" GO routine defined in this GO-library (http://godoc.org/github.com/dgrijalva/jwt-go) for JWT-token parsing/validation. When I pass the token to this function - token, err := jwt.Parse(getToken, func(token *jwt.Token) (interface{}, error) { return config.Config.Key, nil }) I get an error...

How to share a public key for OAuth2 JWT validation?

validation,oauth-2.0,public-key-encryption,jwt
I am implementing an app that connects to an OAuth2 server and it gets back a Json Web Token (JWT). I am passing the token along and I want to independently validate that the token came from the issuing source. I can do this, no problem, with the public key...

Issue with Hapi-jwt: Hapi-jwt authentication not running the handler function

node.js,jwt,hapijs
I am not sure why, but I am having an issue implementing JWT authentication on my API. I'm using the https://www.npmjs.com/package/hapi-jwt package. Creating the token works without issue, I'm getting a reply back on my /api/v1/login (auth) route, giving me a status:200 and the token:hash. However, using my basic validation...

Securing JWT tokens in a AJAX call

security,jwt
Say site A has a piece of javascript that does an ajax call to an endpoint on site B. Site A uses a JWT generated from site B to authenticate the requests. Wouldn't a user be able to get the JWT, simply by inspecting (e.g Chrome) the request and it's...

Integrating AWS Cognito with API for authentication

api,amazon-web-services,jwt,amazon-cognito
Can we integrate AWS cognito to authenticate API calls to our back-end? I was planning to use cognito access token which would be given to a reverse proxy server to create a JWT by value for back-end micro services. But I could not find any method to check the AWS...

JWT (Json Web Token) Audience “aud” versus Client_Id - What's the difference?

oauth,oauth-2.0,jwt,json-web-token
I'm working on implementing OAuth 2.0 JWT access_token in my authentication server. But, I'm not clear on what the differences are between the JWT "aud" claim and the client_id http header value. Are they the same? If not, can you explain the difference between the two? My suspicion is that...

How can i decode in AngularJS a JWT with a public key?

javascript,angularjs,authentication,jwt
I'm building an AngularJS site with authentication based in JWT. When I log successfully into the aplication, the backend returns me a JWT and this is stored in localStorage. I want to receive the roles of the user in the JWT Claims, but I read the token from localstorage and...

NodeJS - Socket.io allowing only JWT verified connections

javascript,node.js,socket.io,jwt,express-jwt
My code is that simple: /*global require module process console*/ /*eslint-disable*/ (function (require, process) { 'use strict'; var config = require('../config') , uuid = require('node-uuid') , crypto = require('crypto') , fs = require('fs') , port = parseInt(process.env.PORT || config.server.port, 10) , serverHandler = function (req, res) { res.writeHead(404); res.end(); }...

JWT: How send authorization in header?

php,rest,laravel,token,jwt
I'm using the JWT (https://github.com/tymondesigns/jwt-auth) to generate session tokens in my API. I made all relevant settings to work as the author's documentation. After connecting the session, I make use of a URL to return data of my categories. When I pass the token directly in the URL, it works....

Parser exception in JWT when encryption and signing is enabled

java,json,jwt
I'm new to JWT, learning through standalone code to understand JWT API's. Below code sign and encrypt JWT token from sender's end and it get validated at receiver's end. Library: JOSE 0.4.1 package com.one00bytes.jwt; public class JWTSignEncryption { public static void main(String[] args) throws Exception { /***************************SENDER'S END ***********************************/ JwtClaims...

optional autetification for socket.io

socket.io,jwt
I use socket.io-jwt library, with a code like: socketio.use(require('socketio-jwt').authorize({ secret: config.secrets.session, handshake: true })); But this restricts unauthenticated. I need authentication is optional, and has way to check after if you is logged or not. There is some library?...

Is there a way to access jwt user information in unprotected endpoint in nodejs using express-jwt?

node.js,express,jwt
I'm using express-jwt to protect my endpoints, but I'd like an unprotected endpoint to show some extra information if the user is logged in. So I'm wondering if there is a way to access such user info in unprotected endpoint? codes look like: // unprotected endpoint router.get('/:productId', function(req, res) {...

Getting error in token based authentication in python eve

python,authentication,jwt,eve
I am using token based authentication, to give access to my website API to logged users to access it. I am getting following error. {"_status": "ERR", "_error": {"message": "Please provide proper credentials", "code": 401}} I am storing username, password, email, token into my people schema. "token" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0MzAxMzg4NTQsInN1YiI6IjU1M2RlMjcwYmVkMDY5MTYwOWRiMWRkNyIsImV4cCI6MTQzMTM0ODQ1NH0.-H8m19tWeOgDXcem9pNjD3XXefMgGKv-ao3U8W9_P1U", "username": <username>,...

express-jwt handling specific secret passphrase by routes

node.js,express,token,jwt,express-jwt
Here is my use case. In my express app using express-jwt module, I have 2 mains routes. I would like to secure my routes with 2 distincts passphrase. app.use('/api/v1/admin', jwt({secret: "blabla1"}).unless({path:['/api/v1/admin/login']})); app.use('/api/v1', jwt({secret: "blabla2"}).unless({path: ['/api/v1/login']})); In this case, it doesn't work as I was expecting to... Is there a way...

How to create JWT exp style date in Javascript

javascript,node.js,oauth-2.0,jwt
I'll like to create JWT exp claim style date in Javascript. My app jwt claim returns an expiry date of 1424984529. I'm doing a test for token expiration using this: if(jwt.exp < Date.now())) { // do something } As at writing Date.now() gives me 1424941329632 and jwt.exp gives 1424984529. Obviously,...

Maintaining Secret key and Access Token for JWT in Express and NodeJS with Facebook in Rest API

angularjs,node.js,facebook,express,jwt
I have two applications: server ( REST API Server) node js Express jsonwebtokens express-jwt mongoose client (Portable Front-end) bootstrap Angular JS local-storage angular-facebook angular-jwt Lateron, the client app will be ported for android, iphone and other platforms using phonegap. For OAuth, I am using Facebook as the provider. Now, I...

Get access to REST API using JWT security token

java,rsa,token,jwt
I have RSA key in format <RSAKeyValue> <Modulus> ..</Modulus> <Exponent>..</Exponent> ... </RSAKeyValue> I need to get connection to REST API using java. I should use JWT security token with schema “TokenIssuer”. Nimbus library provide following example for doing it. Will it help me or I need something else? If yes,...

Can't seem to inject angular-jwt into factory

javascript,angularjs,dependency-injection,jwt,angularjs-factory
I am trying to inject angular-jwt into a factory for use in auth functions, but I keep getting the error `Error: [ng:areq] Argument 'fn' is not a function, got string http://errors.angularjs.org/1.3.15/ng/areq?p0=fn&p1=not%20a%20function%2C%20got%20string return new ErrorConstructor(message);` Here's the code: webapp.factory('Auth', ['angular-jwt'], function($http, API_URL, $window, $location, jwtHelper ) { Also the learning curve...

Basic Auth to Receive Token in Spring Security

api,rest,spring-security,jwt
I am implementing a RESTful API where the user must authenticate. I want the user to POST their credentials in order to receive a JSON web token (JWT), which is then used for the remainder of the session. I have not found any good sources of information to set this...

JWT Authentication for laravel built api for mobile application

android,laravel,jwt
I have to build an API for a mobile application. I see Laravel would be a good choice to develop the api. What concerns me is the Authentication part. For me OAuth seems to be difficult to implement. Would JWT be a good idea? Would it be secure enough for...

How to sign JWT?

ruby,authentication,oauth,sinatra,jwt
I'm trying to secure a Sinatra API. I'm using ruby-jwt to create the JWT, but I don't know exactly what to sign it with. I'm trying to use the user's BCrypt password_digest, but every time password_digest is called it changes, making the signature invalid when I go to verify it....

Can't get ng-hide & ng-show to work with tokens

angularjs,token,jwt,ng-show,ng-hide
My problem is similar to this : ng-show and ng-hide with jwt Although i modified as instructed by user3735441, i still can't make them work properly: Service : 'use strict'; /** * @ngdoc service * @name ToDoManagerApp.authToken * @description * # authToken * Factory in the ToDoManagerApp. */ angular.module('ToDoManagerApp').factory('authToken', function($window)...

Laravel Dingo JWT

php,laravel,jwt,dingo-api
I am currently coding an API in Laravel with Dingo and JWT as its authentication It works fine, and I have set Dingo config to protected, so a valid JWT token will always need to be there, otherwise it will fail with 401 error. Again it works fine. The question...

Set regular HTTP request headers from javascript

javascript,authentication,http-headers,jwt
I'm trying to make a multipage web app that uses json web tokens for authentication. Using JWTs for single page apps is fairly trivial as you just set the headers on an XHR and send it off, but setting the headers for regular browser requests seems somewhat more difficult. It...

JSON Web Token Auth Service - checking status on separate server to protect routes. NodeJS

node.js,authentication,express,routing,jwt
For a project I’m working on currently I am developing an API using Node/Express/Mongo and separately developing a website using the same tools. Ideally I want to host these on separate servers so they can be scaled as required. For authentication I am using jsonwebtoken which I’ve set up and...

Can anybody decode a JSON Web Token (JWT) without a secret key?

c#,jwt
I am new to this domain but I was trying to generate a JWT using the JWT nuget package (https://github.com/jwt-dotnet/jwt) My understanding is that you supply a secret key to sign the Token but when I got the token I went to this website http://jwt.io/ to test it and the...

Authentication with username & password with node js, AngularJs and JWT

javascript,angularjs,node.js,jwt
I am creating an production angularJs application. Now ive created parts of my RESTFul API this API generates a user object on login however i am not keen on sending the password unhashed / un incrypted over the HTTP header. To give you some insight of my API: on login:...

What to use for user profile search: username or JWT token?

javascript,node.js,jwt
In my web application, I want to go to the user home page or profile page of another user. What should I pass to query data for a particular user ? What should be the flow ? I am trying to build a full stack JS application with user profiling....

Express JWT Error: Not enough or too many segments in socket.io initial auth

javascript,authentication,socket.io,jwt,express-jwt
During the initial handshake where a token and username are passed, I am catching this strange error-- { handle: 10, type: 'error', className: 'Error', constructorFunction: { ref: 11 }, protoObject: { ref: 12 }, prototypeObject: { ref: 3 }, properties: [ { name: 'stack', attributes: 2, propertyType: 3, ref: 3...

What is special for a private key to be PEM-formatted?

python,openssl,public-key-encryption,jwt
I am trying to use the Google API with a oAuth service account, with Python 3.4. One of the steps is to generate a JSON Web Token, for which I use PyJWT. My code for the generation is the following: # opening the certificate downloaded from the Google API console...