JWT questions

[Dave S]

Between the docstrings in gluon/tools.py and this thread from 15 months ago,
<URL:https://groups.google.com/d/topic/web2py/p9HE6pnf-VE/discussion>
I finally tried and succeeded with doing a JWT test.  Thanks, Niphlod!

As in the thread, I used the auth = Auth(..., jwt = {} ) technique.  The AuthJWT docstrings imply that I could go direct after Auth was initialized, but I didn't understand how to do the import statement.  I don't think I need the lower-level method, but if I get inspired to update the book [*], I'd like to be able make the proper remarks.

I was able to use curl to get the token (-o), and to return it (-H plus the BASH backquote feature after editing the file to unwrap the token from the JSON), so that was handy.

I am a bit confused about sessions.  The test function I used incremented and returned a counter in the session object.  When using a browser (ordinary login), this incremented nicely.  When using the JWT technique, the same value was returned each time.
That is,

   if session.tcount:
      session.tcount += 1
   else:
      session.tcount    = 1
   return "%d" % (session.tcount)

returned 1, 2, 3, 4, .... for the browser, and  1, 1, 1, 1, .... for my curl-JWT accesses.  If I wait long enough, the token expires as expected (not very long for the default), but before it expires it acts like the session stays around to keep me "logged in", but also like the session is new every time for the tcount variable.  Is that intended behavior, did I forget something, or did I find a hole?

* Chapter 9, with a forward reference to Chapter 10, or Chapter 10 with a reference back to Chapter 9?

/dps

[Dave S]

Ooops, my browser didn't show me this first attempt succeeded.  2nd attempt has the tags; please go there.
-d

[Anthony]

returned 1, 2, 3, 4, .... for the browser, and  1, 1, 1, 1, .... for my curl-JWT accesses.  If I wait long enough, the token expires as expected (not very long for the default), but before it expires it acts like the session stays around to keep me "logged in", but also like the session is new every time for the tcount variable.

When you make an HTTP request to web2py, it sends back a session cookie. Browsers retain and keep sending back the session cookie (throughout the course of a browser session), so web2py can continue to identify the browser with a particular session. Be default, curl does not retain cookies and send them back to the remote server on subsequent requests, so web2py has no way of associating each curl request with the same session.

JWT auth does not work via cookies. Rather, the JWT goes in the HTTP request headers. So, with curl, you are sending the JWT to web2py on every request, and web2py is able to validate the JWT on each request (the JWT can be validated based only on its own data -- nothing from a server-side session is needed to validate it). web2py, therefore, is not "keeping you logged in" -- you are really re-authenticating on every single request by sending the JWT in the request headers.

By the way, you can use curl to store and return cookies using the --cookie and --cookie-jar options.

Anthony

[Dave S]

On Saturday, November 18, 2017 at 4:50:43 AM UTC-8, Anthony wrote:

returned 1, 2, 3, 4, .... for the browser, and  1, 1, 1, 1, .... for my curl-JWT accesses.  If I wait long enough, the token expires as expected (not very long for the default), but before it expires it acts like the session stays around to keep me "logged in", but also like the session is new every time for the tcount variable.

When you make an HTTP request to web2py, it sends back a session cookie. Browsers retain and keep sending back the session cookie (throughout the course of a browser session), so web2py can continue to identify the browser with a particular session. Be default, curl does not retain cookies and send them back to the remote server on subsequent requests, so web2py has no way of associating each curl request with the same session.

Okay, that's pretty clear.  The counter was a just an experiment.

 

JWT auth does not work via cookies. Rather, the JWT goes in the HTTP request headers. So, with curl, you are sending the JWT to web2py on every request, and web2py is able to validate the JWT on each request (the JWT can be validated based only on its own data -- nothing from a server-side session is needed to validate it). web2py, therefore, is not "keeping you logged in" -- you are really re-authenticating on every single request by sending the JWT in the request headers.

By the way, you can use curl to store and return cookies using the --cookie and --cookie-jar options.

Anthony

Thanks!  You have both depth and breadth in the topics around here.

/dps