Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Access token for anonymous users - JWT

Tags:

authentication

authorization

access-token

jwt

laravel-5

I have been making research to switch to a community supported authorization system rather than the one I've built. I made the mistake of rebuilding the wheel, instead of implementing a community driven system that utilizes the best practices. However, I couldn't find any authorization example with JWT rather than authentication.

I'm open to all suggestions. As far as I could find, JWT and OAuth requires clients to have an existing account, and authenticate in order to receive a token. However, I need the below functionality in my application.

  • Anonymous users should get an access token, and be able to fetch some resources. I should be able to recognize these guest clients and store session data for them.
  • Guest users should be able to log-in, and then perhaps get a new token, or update their access level to request restricted resources and perform operations that is only for members.

I'm going to built this project with Laravel 5.1 and AngularJS. All suggestions are greatly appreciated. I really could use some directions on this, and simple links to documentations would be enough.

like image 311
Ilyas Serter Avatar asked Jul 02 '15 12:07

Ilyas Serter

People also ask

Can JWT be used as access token?

JWTs can be used as OAuth 2.0 Bearer Tokens to encode all relevant parts of an access token into the access token itself instead of having to store them in a database.

Is JWT the same as access token?

The OAuth access token is different from the JWT in the sense that it's an opaque token. The access token's purpose is so that the client application can query Google to ask for more information about the signed in user.

2 Answers

I think you can generate an anonymous access token either from a random existing user or from custom claims

From an Existing random user:

// grab some user
$user = User::first();

$token = JWTAuth::fromUser($user);

Or From Custom Claims:

$customClaims = ['foo' => 'bar', 'baz' => 'bob'];
$payload = JWTFactory::make($customClaims);
$token = JWTAuth::encode($payload);

You can get more details from the following link:

https://github.com/tymondesigns/jwt-auth/wiki/Creating-Tokens

like image 61
Yasser Mohammed ElSayed Avatar answered Oct 09 '22 16:10

Yasser Mohammed ElSayed

I certainly understand the use case you describe - but I'd argue that an anonymous token doesn't actually add any security. This is because a completely anonymous user will be able to request an anonymous token without first identifying themselves (otherwise it wouldn't be anonymous). As such - this token must be assumed to be owned by any and all users of your application (including those with malicious intent)

Whilst I'm not familiar with Laravel - the general approach to achieving this sort of functionality might be something like:

Approach

  1. Find a session library that allows collection of user information ahead of login (I'm fairly sure that most session libraries will facilitate this)
  2. Create a session for every user who visits the Application (in this you can start to profile them, store useful information etc.)
  3. Create a divide between authenticated endpoints and anonymous endpoints, requiring a valid access token present in the users session to retrieve/send data to those that are authenticated
  4. When the user 'logs in' you can perform the OAuth2.0/OIDC flow with your authentication provider of choice, eventually retreiving tokens.
  5. Store the tokens in the user's session (in effect 'upgrading' their access) so that when they next try to hit an authenticated endpoint they have access

General Notes

  • Make sure to use a persistant store for the session data (I would normally use something like Redis) so that session data can be shared between instances of your application)
like image 25
Jack Dunleavy Avatar answered Oct 09 '22 18:10

Jack Dunleavy
Sign in to Comment

Related questions

nodejs web site with active directory permissions
Postgres User Authentication on web app through LoginRoles Vs Table
Authenticate Multiple Private Channels in One Authentication call in pusher.com
Preemptive Proxy Authentication with HTTP Tunnel / HTTPS Connection in Apache HttpClient 4.3.1
Microsoft Enhanced redirection security with OWIN/MVC5 auth
Server is unwilling to perform. LDAP in PHP
Windows Authentication behind AWS Elastic Load Balancer (ELB) not working
How to force re-authentication of credentials in Spring Security?
Adding Claims in the MVC 5 app with Owin and windows authentication
Using both LDAP and DB authentication with Spring Security
Difference between HTTP Authorization header and Query string parameters
Simple authentication in Flask not working under Apache
password protect prometheus access
How to add token validation only for protected actions in ASP.NET 5 (ASP.NET Core)
How to Optionally Protect a Resource with Custom Dropwizard Filter
Anonymous pull on docker repo in artifactory
Security for "Private" REST API
How can I use bcrypt/scrypt on appengine for Python?
How to set the <img> tag with basic authentication
Mysql 8 remote access

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!