Custom JWT login -> Login validated user without a password.

[hiro]

Hi, quick question!

I am working on an internal API using web2py and the organization I am working for wants us to use JWTs. I have had no success with the JWTAuth in the tools file, but have successfully been able to redirect to the single sing-on provider and then validate the token as the single sign on provider redirects back to the web2py service.

So basically I have been able to validate that a user with a given username is allowed to log in. Now, the question becomes, how do I log in the user?

Assume the user already exists within the Auth DB for now. In the long run I will need to update user permission and LDAP groups and so on, but now I just need how to login problematically when I know the user is allowed to login by a validated JWT token, but I have no password or anything else except the username,

# Code to validate JWT token..

username = validated_jwt_token.preffered_username.

Auth.login(username)

# User should now be logged in.

Any idea?

Thanks!

[Kevin Keller]

I am not sure I understand what you have done completely, but let me give it a shot at the point where you ask how to validate a jwt token. 

The IDP that created the JWT token will sign the JWT token. 

So you need to send the token e.g. via POST to web2py and then use pyjwt 

to verify the token with however means that token was signed. 

Maybe a simple passphrase, shared key, public key etc. 

Once you verified the signature you can use pyjwt

to load the contents of the token into a python dict. 

Some IDPs include information about the person loggin in as "claims". 

Info such as First Name, Last Name, Email, Username/Displayname etc. you can extract those information 

and create the user in web2py and log the user in with a web2py session. 

Some IDPs do not put anything in the token and ask you to use the jwt token to call a userinfo endpoint (restful api of the IDP), 

to extract more info about the user directly from the IDP instead of from the token. 

The token usually was issued with certian scopes e.g. openid, profile, email and depending on the scopes of the token, the IDP will either 

give this information or not. 

Usually you also have to whitelist in the IDP from which hosts such a call can come from and which hosts can actually obtain tokens etc. 

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/0c6cfe00-9e4d-416a-b547-76809c19e751o%40googlegroups.com.

[hiro]

Thank you! You are spot on. I have redirected the user to a Single Signon page, and got redirected back with a token, that I then use the requests library and my key to validate to extract the username and permissions.

I already have the users in the default auth tables, so basically now that user X has provided av valid token I want to be able to login that user.

Maybe that is just stupid? Maybe one should just use the extracted data as from the token and never store any of it in the internal user database?

[Kevin Keller]

Nope, its not stupid. 

At least not as long as you store data in the local database of your app that is not stored in the directory of your identity management system. 

Then you would just duplicate data and I would just use the claims from the IDM to work in the app. 

But if your app stores data about the user that is not stored in the IDM for example if you have a web shop and you want to store the puchase history, 

you probably do not want to store that in your IDM directory but leave in the local database. In order for your app to understand what data to pull for that user from

the local datatabase it is important to create the user entity in the local app as well as have it the IDM. 

I usually check if a user that just authenticated via the IDM is already in the database and if not I create / update the user in the local database. 

In terms loggin users in I think it web2py it was straight forward if I remember correctly.. 

Looking at ths snipped:

http://www.web2pyslices.com/slice/show/1443/auto-login-when-you-come-from-localhost

I think you can extract the username from the token and then do: 

user = db(db.auth_user.username==username).select().first()
    auth.user = user

To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/876f7f64-836e-4d20-8e7b-102fec2518edn%40googlegroups.com.

[hiro]

That was easy. Thank you! Those were two two lines of code I was looking for!