JWTAuthenticator Header Options
162 views
Skip to first unread message
Chad Retz
Feb 16, 2016, 4:44:24 PM2/16/16
to Silhouette
I would like to read the JWT from the "Authorization: Bearer" header as mentioned at http://jwt.io/introduction/#how-do-json-web-tokens-work- but it appears the JWTAuthenticatorService just reads a single header instead of providing the option to do the form mentioned on the JWT website. Is this correct or am I missing something?
Also I notice the embed methods in the JWTAuthenticatorService but I do not want to embed the JWT in the result (I don't plan on having an idle-timeout so the JWT should not be mutated or need to be sent back).
Is the recommended approach for these features to extend JWTAuthenticatorService and override both embed overloads to do a noop (seems I don't need to override update because it does not get called), and to override retrieve to extract the token from the auth header?
Also I notice the embed methods in the JWTAuthenticatorService but I do not want to embed the JWT in the result (I don't plan on having an idle-timeout so the JWT should not be mutated or need to be sent back).
Is the recommended approach for these features to extend JWTAuthenticatorService and override both embed overloads to do a noop (seems I don't need to override update because it does not get called), and to override retrieve to extract the token from the auth header?
Christian Kaps
Feb 17, 2016, 2:39:57 AM2/17/16
to Silhouette
Hi,
to read the header from the "Authorization: Bearer" header you must override the `retrieve` method and if you do not want to embed the token into the result, then you need not call this method.
Best regards,
Christian
Chad Retz
Feb 19, 2016, 10:24:24 AM2/19/16
to Silhouette
This is what I ended up doing (code below). It just seems quite strange that the approach mentioned in the JWT documentation is not natively supported.
package modules
import com.mohiva.play.silhouette.api.services.AuthenticatorResult
import com.mohiva.play.silhouette.api.util.{Clock, IDGenerator}
import com.mohiva.play.silhouette.impl.authenticators.JWTAuthenticator._
import com.mohiva.play.silhouette.impl.authenticators.{JWTAuthenticator, JWTAuthenticatorService, JWTAuthenticatorSettings}
import play.api.mvc.{RequestHeader, Result}
import scala.concurrent.{ExecutionContext, Future}
class AuthHeaderJwtAuthenticatorService(
settings: JWTAuthenticatorSettings,
idGenerator: IDGenerator,
clock: Clock
)(implicit val execCtx: ExecutionContext) extends JWTAuthenticatorService(settings, None, idGenerator, clock)(execCtx) {
require(settings.headerName == "Authorization")
require(settings.authenticatorIdleTimeout.isEmpty)
override def retrieve(implicit request: RequestHeader): Future[Option[JWTAuthenticator]] = {
Future.successful {
request.headers.get("Authorization").flatMap { header =>
if (!header.startsWith("Bearer ") && !header.startsWith("bearer ")) None
else unserialize(header.substring(7))(settings).toOption
}
}
}
override def embed(token: String, result: Result)
(implicit request: RequestHeader): Future[AuthenticatorResult] = Future.successful(AuthenticatorResult(result))
override def embed(token: String, request: RequestHeader): RequestHeader = request
override def update(authenticator: JWTAuthenticator, result: Result)
(implicit request: RequestHeader): Future[AuthenticatorResult] = Future.successful(AuthenticatorResult(result))
}
package modules
import com.mohiva.play.silhouette.api.services.AuthenticatorResult
import com.mohiva.play.silhouette.api.util.{Clock, IDGenerator}
import com.mohiva.play.silhouette.impl.authenticators.JWTAuthenticator._
import com.mohiva.play.silhouette.impl.authenticators.{JWTAuthenticator, JWTAuthenticatorService, JWTAuthenticatorSettings}
import play.api.mvc.{RequestHeader, Result}
import scala.concurrent.{ExecutionContext, Future}
class AuthHeaderJwtAuthenticatorService(
settings: JWTAuthenticatorSettings,
idGenerator: IDGenerator,
clock: Clock
)(implicit val execCtx: ExecutionContext) extends JWTAuthenticatorService(settings, None, idGenerator, clock)(execCtx) {
require(settings.headerName == "Authorization")
require(settings.authenticatorIdleTimeout.isEmpty)
override def retrieve(implicit request: RequestHeader): Future[Option[JWTAuthenticator]] = {
Future.successful {
request.headers.get("Authorization").flatMap { header =>
if (!header.startsWith("Bearer ") && !header.startsWith("bearer ")) None
else unserialize(header.substring(7))(settings).toOption
}
}
}
override def embed(token: String, result: Result)
(implicit request: RequestHeader): Future[AuthenticatorResult] = Future.successful(AuthenticatorResult(result))
override def embed(token: String, request: RequestHeader): RequestHeader = request
override def update(authenticator: JWTAuthenticator, result: Result)
(implicit request: RequestHeader): Future[AuthenticatorResult] = Future.successful(AuthenticatorResult(result))
}
Christian Kaps
Feb 22, 2016, 2:55:57 AM2/22/16
to Silhouette
Hi,
I'm not sure the page you linked is the official JWT documentation. This page is published by Auth0 a company that relies heavily on JWT for their product. The page as you see currently is relatively new. There was an old version which hasn't describe the way the token should be transported. Even the official JWT RFC doesn't really describe how the token should be transported. The Authorization header is only once mentioned in the introduction and the HTTP Authorization RFC doesn't describe a Bearer token scheme. The only official document that describes such a scheme is part of the OAuth2 RFC. What I try to say is that there isn't an official standard how JWT tokens should be transported. So Silhouette allows to extract the token from every request part.
Anyway, I think it would make sense to support the Bearer scheme for the BearerAuthenticatior as well for the JWTAuthenticator in Silhouette 4.
Best regards,
Christian
Reply all
Reply to author
Forward
0 new messages