Access token for anonymous users - JWT

Question

I have been making research to switch to a community supported authorization system rather than the one I've built. I made the mistake of rebuilding the wheel, instead of implementing a community driven system that utilizes the best practices. However, I couldn't find any authorization example with JWT rather than authentication.

I'm open to all suggestions. As far as I could find, JWT and OAuth requires clients to have an existing account, and authenticate in order to receive a token. However, I need the below functionality in my application.

• Anonymous users should get an access token, and be able to fetch some resources. I should be able to recognize these guest clients and store session data for them.
• Guest users should be able to log-in, and then perhaps get a new token, or update their access level to request restricted resources and perform operations that is only for members.

I'm going to built this project with Laravel 5.1 and AngularJS. All suggestions are greatly appreciated. I really could use some directions on this, and simple links to documentations would be enough.

Answer 1

I think you can generate an anonymous access token either from a random existing user or from custom claims

From an Existing random user:

// grab some user
$user = User::first();

$token = JWTAuth::fromUser($user);

Or From Custom Claims:

$customClaims = ['foo' => 'bar', 'baz' => 'bob'];
$payload = JWTFactory::make($customClaims);
$token = JWTAuth::encode($payload);

You can get more details from the following link:

https://github.com/tymondesigns/jwt-auth/wiki/Creating-Tokens

Answer 2

I certainly understand the use case you describe - but I'd argue that an anonymous token doesn't actually add any security. This is because a completely anonymous user will be able to request an anonymous token without first identifying themselves (otherwise it wouldn't be anonymous). As such - this token must be assumed to be owned by any and all users of your application (including those with malicious intent)

Whilst I'm not familiar with Laravel - the general approach to achieving this sort of functionality might be something like:

Approach

1. Find a session library that allows collection of user information ahead of login (I'm fairly sure that most session libraries will facilitate this)
2. Create a session for every user who visits the Application (in this you can start to profile them, store useful information etc.)
3. Create a divide between authenticated endpoints and anonymous endpoints, requiring a valid access token present in the users session to retrieve/send data to those that are authenticated
4. When the user 'logs in' you can perform the OAuth2.0/OIDC flow with your authentication provider of choice, eventually retreiving tokens.
5. Store the tokens in the user's session (in effect 'upgrading' their access) so that when they next try to hit an authenticated endpoint they have access

General Notes

• Make sure to use a persistant store for the session data (I would normally use something like Redis) so that session data can be shared between instances of your application)