Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to give user JWT token after OAuth provider redirect?

Tags:

oauth

jwt

rauth

I'm implementing OAuth (using rauth) and will be giving JWT tokens (using flask-jwt), javascript frontend (Angular1). I have done it for classical cookie/session based app. It works. Now I want to do it with JWT tokens.

If I understand correctly, user is redirected to provider (ex. Google), login into account, my server and provider do the magic, then provider redirect user back to my page. Now I got user profile and that ends the OAuth part. With normal session you give user cookies and the rest of stuff for setting up session, then redirect him to home page.

This is where I'm stuck. Is there any good practice how to give user JWT token after provider send him back? Give it to user as cookie on redirect to home page? Put it in header? As far as I know I need javascript to save token into LocalStorage/SessionStorage.

like image 814
gcerar Avatar asked Jul 28 '15 16:07

gcerar


People also ask

Can we use JWT and OAuth together?

JWT and OAuth2 are entirely different and serve different purposes, but they are compatible and can be used together. The OAuth2 protocol does not specify the format of the tokens, therefore JWTs can be incorporated into the usage of OAuth2.

How do I send a JWT in authorization header?

We can send this token to other endpoints. This can be done easily. We have to add an authorization header in our request and this will be a Bearer TOKEN. To avoid any manual copy-pasting of JWT token, we can use variables to add a script in the Tests tab of API request which is generating token.


1 Answers

At the end of the day, the user will be redirected back to our app where a page now needs to be rendered. The only option I see is to return the JWT as a cookie because response headers aren't accessible in Javascript & the only other place would be to embed it in the DOM which would open it up to CSRF attacks.

When the browser is redirected from the OAuth provider it will only have an access code which can be exchanged for an access token on the server side. But best practice says you need to keep that access token secret (not pass it back to the browser).

There is a lot of debate about JWT's in cookies vs local/session storage but in this use-case I don't see any other option than to use cookies. All the use-cases I have seen that describe using browser storage assume an XHR request is being made to obtain the JWT. But this isn't an option in an OAuth flow because the entire browser has just been redirected back to our app.

I don't see another option (for the OAuth use-case) other than keeping the JWT in a cookie to be used for future API calls. But maybe I'm missing something.

like image 61
Roy Brumby Avatar answered Sep 22 '22 07:09

Roy Brumby