Lexik JWT Token not found

Question

I've seen similar questions but still can't get this to work.

I'm new with Symfony and I'm using Lexik JWT bundle with symfony3 for API authentication, and a login form for web authentication.

I get the token ok but when I try to use it I get 401 - Bad authentication. I've read it can be an apache problem so I'm trying with PHP's built-in web server, but still no luck.

Here's my security.yml file:

security:

encoders:
    AppBundle\Entity\User:
        algorithm: bcrypt

# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
    in_memory:
        memory: ~
    our_db_provider:
        entity:
            class: AppBundle:User
            property: username

firewalls:
    # disables authentication for assets and the profiler, adapt it according to your needs
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false

    login:
        pattern:  ^/api/login
        stateless: true
        anonymous: true
        form_login:
            check_path:               /api/login_check
            success_handler:          lexik_jwt_authentication.handler.authentication_success
            failure_handler:          lexik_jwt_authentication.handler.authentication_failure
            require_previous_session: false
        provider: our_db_provider

    api:
        pattern:   ^/api
        stateless: true
        provider: our_db_provider
        lexik_jwt:
          authorization_header: # check token in Authorization Header
            enabled: true
            prefix:  Bearer
          throw_exceptions:        true     # When an authentication failure occurs, return a 401 response immediately
          create_entry_point:      true      # When no authentication details are provided, create a default entry point that returns a 401 response


    main:
        anonymous: ~
        form_login:
          login_path: /login
          check_path: /login_check
        provider: our_db_provider

access_control:
  - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
  - { path: ^/api,       roles: IS_AUTHENTICATED_FULLY }
  - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
  - { path: ^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
  - { path: ^/, roles: [ROLE_ADMIN, ROLE_USER] }

If I set the create_entry_point to false in my api firewall, I get a 500 error: A Token was not found in the TokenStorage.

Maybe I'm passing the token the wrong way? I've tried several ways as I'm not sure which one is correct. Here are my headers:

POST /api/notifications HTTP/1.1
Host: localhost:8000
Authorization: bearer {"token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJleHAiOjE0NTUwMDk1ODAsInVzZXJuYW1lIjoiYXNvcmlhIiwiaWF0IjoiMTQ1NDkyMzE4MCJ9.rwgAkLBesTYOZn3B96Jlsf9_3Qy-rjrRt2l5UxdXD8ZadJ2YbK-9m7qNqUd9-bhaA_MFL1lssPZ-0AzmQCZx8bL8XD_l2_df0wfVm6Le6pEJEJk0arbyxlEOZ-9LrRdOa6EjnzDcZT6Wn76QNOsCSjME7rjk0w0lLs4eXAaXGAYL6lqU4YoiM1xnifzHgGtJKc7RBBivY8yHjfs51S6GwEKzPGrYMUTZWmjhxFPlKZCqEJlaJ6NT82A3PuoISCMUvt7AuxhHdgeuS-TMjdTY-WhqaL7f7Z2FP0_FstKVORHDzC1vf7VlylF76SnF0Sh2tMTuvf70zYnD_gF0k7b9zoOp54e0mJt0XaLTyCtomPSeDhfJV1wJY6EZsrvdUrrHXXtXhA6K70FIM_nQJPVo4Raht-hQWmOnWb3Ib0SvvytQHP96klXVgKHyIaicEjvWhmonzgSRndme4HGXlPWmbKH6tVJpvWatOeaWD4jjS-ZLD_5oBr_o3vNPw81oZj0huI6OgzYvXDpLPw3P7Ma4LmBdQOLwpUEPG3LnuKIdU27umFTrN3T-Cfrb6kITU1BTaTL-AIOM-F6FDlcgJfYxOs6GEFOlFtjJ5KSAEiY8DWiubbrS-VH9uaMlc9YapTlNVsUI7whzO7QmXzC-V8idrNoWBWVftyMDlA9YR_D7N9E"}
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

Or

    POST /api/notifications HTTP/1.1
Host: localhost:8000
Authorization: bearer {"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJleHAiOjE0NTUwMDk1ODAsInVzZXJuYW1lIjoiYXNvcmlhIiwiaWF0IjoiMTQ1NDkyMzE4MCJ9.rwgAkLBesTYOZn3B96Jlsf9_3Qy-rjrRt2l5UxdXD8ZadJ2YbK-9m7qNqUd9-bhaA_MFL1lssPZ-0AzmQCZx8bL8XD_l2_df0wfVm6Le6pEJEJk0arbyxlEOZ-9LrRdOa6EjnzDcZT6Wn76QNOsCSjME7rjk0w0lLs4eXAaXGAYL6lqU4YoiM1xnifzHgGtJKc7RBBivY8yHjfs51S6GwEKzPGrYMUTZWmjhxFPlKZCqEJlaJ6NT82A3PuoISCMUvt7AuxhHdgeuS-TMjdTY-WhqaL7f7Z2FP0_FstKVORHDzC1vf7VlylF76SnF0Sh2tMTuvf70zYnD_gF0k7b9zoOp54e0mJt0XaLTyCtomPSeDhfJV1wJY6EZsrvdUrrHXXtXhA6K70FIM_nQJPVo4Raht-hQWmOnWb3Ib0SvvytQHP96klXVgKHyIaicEjvWhmonzgSRndme4HGXlPWmbKH6tVJpvWatOeaWD4jjS-ZLD_5oBr_o3vNPw81oZj0huI6OgzYvXDpLPw3P7Ma4LmBdQOLwpUEPG3LnuKIdU27umFTrN3T-Cfrb6kITU1BTaTL-AIOM-F6FDlcgJfYxOs6GEFOlFtjJ5KSAEiY8DWiubbrS-VH9uaMlc9YapTlNVsUI7whzO7QmXzC-V8idrNoWBWVftyMDlA9YR_D7N9E"}
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

Any ideas?

Thanks in advance!

Answer 1

The first solution works to solve "401 - Bad authentication" error.

But for Apache users that have the error "401 - JWT Token not found", the solution is to rewrite HTTP Authorization header of request, by placing following instructions on your virtualhost :

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

You could find further readings about this issue on documentation, on this post and this one.

Answer 2

The authorization header should be

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9....9YR_D7N9E