Hello all,
I wanted to share with you my working POC for using JWT (JSON Web Tokens) for auth tokens to create public APIs for the Umbraco backoffice.
I talked to Niels & explained the idea at the Umbraco UK Festival in the open workshop/show & tell sessions and with the Core team planning to do
something similar in the core on the roadmap that was presented in the keynote, so I wanted to share my work with this so far.
What are JWTs?
They are an auth token that allows you to send a piece of JSON encoded as a token and are the more modern approach to deal with auth in applications
especially as we build applications across different devices. The videos below will do a lot better trying to explain it than I can do.
Why do this?
I needed to create this POC for an upcoming pet project I am currently hacking & building. I needed a way to authenticate to any Umbraco backoffice using
the same credentials as the Umbraco backoffice user & ensure they have access to specific section/s on that user. The user will only need to login once and we
then store the auth token in local storage or cookies and use that token from storage or cookie for any future secured/protected API calls.
More Resources on JWTs
NG Europe talk from 0Auth.com guys
https://www.youtube.com/watch?v=lDb_GANDR8U&list=UUEGUP3TJJfMsEM_1y8iviSQ
Another good talk on JWT
https://www.youtube.com/watch?v=vIGZxeQUUFU#t=83
Debugger tool
http://jwt.io
Class Library & Nuget Package I use
Didn't use M$ one as was massively complex as opposed to single class file
Authored by FireBase, Twilio & others
http://www.nuget.org/packages/JWT/
https://github.com/johnsheehan/jwt/blob/master/JWT/JWT.cs
Explaining how my implementation works
Why do you not just store the username & password in the JWT?
The payload of the JSON object in the JWT can be decoded easily, paste in a token into jwt.io and you can see it easily.
However the part to do with JWT is that we verify that the AuthToken is using the signed secret/string to ensure our server created the JWT & it's validity.
So in my implementation I only store the username, user ID, user role and Created Date of the token. The date ensures that the token is different every time
a new one is generated for easy revoking.
Do the tokens expire?
My implementation allows the tokens to work indefinitely until the user in the Umbraco backoffice changes their password.
Which creates a new token and thus revoking access to the API for any clients or services using it.
However it is easily possible to store an expiry date in the JSON payload of the Auth Token and when decoding it verifying the expiry date on it.
Where's the code?
I currently have it in a pet project I am working on and need to do a bit of tidying up and decoupling from the project it's currently in and
plan to put it on GitHub to discuss & review with everyone here (If there is interest, that is)
Separate Project or Pull Request?
So the question I ask is that until the core supports Identity 2 from Microsoft for members & backoffice users (I know Shannon has a project that works with members currently)
Do I submit this idea/approach to the core as a Pull Request to help move this forward or will it only be superseded at a later date by Identity is it worth it?
Thanks
I look forward to any feedback or thoughts you have on this
Cheers,
Warren :)