Menu
I'm using the PyJWT library (import jwt) library to generate JSON web tokens for authentication.
The original design had us passing the token in through the URL like http://example.net?token=eyKDFkdfkdndfndfk...
However, with this solution it appears like anybody who views the token in the URL could then use this token to access the site.
Is the proper solution to pass the JWT through the HTTP header and through SSL? It looks like some solutions pass the JWT through "Authorization Bearer" such as in this thread: Best HTTP Authorization header type for JWT
269
Use authorization headers for your JWT bearer tokens. Note: JWT is simply a standardized way of sending information between parties, and it is possible that you could safely send a JWT via a URL in other scenarios (e.g. single-use tokens), but it is not something we recommend in the context of Auth0.
To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.
In your frontend, store the access token in memory of your client's JavaScript application and store the refresh token in a web store. Send JWT access token as a bearer in HTTP header with each server request that requires authorization. Verify the JWT on your server using the public key (public to your services).
You can pass jwt token in auth header as depicted here.
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
