Help with JWT implementation

[josh]

We use OneLogIn for SSO and also SalesForce. We would like to have a single auth service that will take care of authentication and authorization to all our apps. 

Is this diagram looks like a good approach? http://i.imgur.com/Ji1I1P4.png -

Here is the suggested flow: 

email/password form -> auth service -> onelogin reply yes or no -> salesforce reply with user id. JWT token is created with user id, stored in a DB and JWT is returned to the app. The app will store the JWT in the localStorage (or in case of cordova is some other storage) and sends it in the HTTP header to every other serivce. 

BTW, I read conflicting article about localStorage as a place to store JWT:

https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/

http://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf

Opinions, links and suggestions are all welcome!

[Alexander Behrens]

> JWT token is created with user id, stored in a DB and JWT is returned to the app.

Do you mean that user id stored in a DB or do you store the JWT in a DB? If you are storing the JWT, there is no point of using JWT :)

> The app will store the JWT in the localStorage

I always thought this was a good approach. But that way you will never get the JWT when the user initially loads the web app. You always have to render some boilerplate HTML and then let the client-side Javascript do the authentication call for you.

--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
To post to this group, send email to nod...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/7568b93c-9635-4615-b0c0-a541cb51b2dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[josh]

Thank you Alexander!

so maybe I don't even need to store anything in a DB? 

[Luiz Gavioli]

At the client side you'll have to store de JWT Token somewhere, somehow.

At the server side of the authentication service you'll need the user information stored somewhere, somehow, to check password and create the JWT token.

When I use JWT Token, I usually put the user information as the payload. This way your services will always know the user without going to database for it.

Luiz Gavioli

To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/d552ecee-570f-4c36-8f83-bad78f1edbbc%40googlegroups.com.

[Alexander Behrens]

You have your user accounts in a db. When a users logs in, you verify his account. You store every information you might need in the future in the claim of the JWT. You create the JWT and send it back to the user. With this JWT the user can now log in from anywhere, anytime until the JWT expires. You verify the user by decoding the JWT. The whole point of having JWT is to not store them in a db.

To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/d552ecee-570f-4c36-8f83-bad78f1edbbc%40googlegroups.com.

[josh]

got it. so i only need to access the DB (or access an endpoint that verify the existence of the user) at the login. from that moment, the JWT token is self sufficient and I no longer need any DB (for authentication/authorization purposes).

Thanks!