I've been asked to solve a very specific problem. An outside company will authorize the user, and create a JWT token for that user. They will then send us a .cer file (.der and other file types are likely fine too). I then have to decode the JWT within the file.
Our Rails app's current authorization system uses Devise
I've tried finding ways to do this in the JWT gem. I've tried using the OpenSSL library to somehow read the file and turn it into an object that JWT.decode will read.
Let me know if more info is needed
Related
I don't understand the use of JWT token..
Can anyone explain it to me ?
Because currently i'm working on an app (rails + react), and I want to use devise + jwt for authentification and React for frontend.
Actually, I understood that :
1/ If a user want to login: he completes the form, React get Data from form and make a post request of these infos to Rails API.
2/ Rails API get theses infos check in the db if infos match with a registered user, if it is then Rails API will create a JWT token and will send this token to React.
User is now logged in because Rails API found a matched user.
3/ React receive the JWT token. ( ?? what the usage of this token ?? )
thanks
My response is not specific to Rails/React, but rather to all web technologies using JWT tokens:
What you said is correct. From point 3 forward, all the requests made from React to the Rails backend will have to contain the header Authorization: Bearer <token>.
When Rails sees that header, it is able to:
checks the token is valid, by checking its signature
decode it and extract any info stored in it.
Remember that JWT tokens can contain any info the backend wants to store in it. And the client is not able to tamper it, because it is signed cryptographically and it would invalidate its signature.
The above properties (the fact you can store anything in it, that the frontend sends it with every request and that nobody can tamper it) help any web application being able to:
have a shared nothing architecture - because the session is stored completely on the UI, so any backend worker/machine can handle any request
store more info in the session than if they'd use signed cookies for sessions.
Since you are return api . And react is consuming it.
Jwt help to return data you might need to persist in your frontend in react tho. Data like user name or email.
Example : making the header of your website show a user is logged in.
Since you are return api . And react is consuming it.
Jwt help to return data you might need to persist in your frontend in react tho. Data like user name or email.
Example : making the header of your website show a user is logged in.
The main aim of jwt in frontend is basically auth.
Apart .
If you are using a monolith app u deal with session for user
In react case jwt stands in as the session
The main aim of jwt in frontend is basically auth or other.
Apart . If you are using a monolith app remeber u deal with session for user In react case jwt stands in as the session
I'm working on a rails application that is integrating with Xero. I'm using omniauth-xero gem to authenticate my users, and the xeroizer gem to interact with Xero's API. I am storing the token, secret token on a model associated with the user. I'm able to access the xeroizer client and see that the access tokens are matching what I'm storing. But when I try to do a basic get request, I get a 401, signature invalid: Failed to validate signature. I'm confused on what the error could be referring to as I have no way to touch the signature between using each of the gems.
Maybe you set a password while export the pfx file and you missed in your code?
I'm building an native iOS app, it uses OAuth 2.0/OIDC for authentication and authorisation. The auth server is identity serverver 4.
By going thru documents such as https://www.rfc-editor.org/rfc/rfc8252 I have established that the correct flow to use is "authorisation code" flow even though we own the app, the auth server and the resources.
I also learned that we need to use a secure browser such as SFSafariViewController and that we need to use PKCE and remember to use the "state" key in the request and validate on return.
My problem is validating the jwt on the iOS device. I use https://github.com/kylef/JSONWebToken.swift as suggested on jwt.io
To validate the validity of the jwt we need to check that it was is deed signed by our auth server. The server signs using an async rs256 key and exposes the public key on a endpoint. JSONWebToken.swift does not support rs256 and I have not been able to find any iOS library that does, so how to other people validate jwt on iOS devices? I guess we could swith to HS256 which is supported by JSONWebToken.swift but this is a sync algorithm and would require us to store the key on the device which would not be safe.
How to solve this issue, surely I'm not the only one having it...
You could use the Vapor package at https://github.com/vapor/jwt which does support RS256, but you'll need to fetch the JWK yourself.
I'm using json web tokens for my app.
When i login to my site and want to see who is the user logged in, i have a previously stored token with all the needed data in it encoded in HS256.
Should i use this token payload to show "Hello ..." and the user name which is inside the payload, or should i decode the token server side and retrieve the user data from there?
Is there any client-side library to decode HS256 for me to use?
Or is it bad practice and should be avoided.
JWT is self-contained and is protected with a digital signature. You can perfectly use the information contained in the token, but you should validate the expiration time and to ensure that digital signature has not been altered.
To verify the signature on the client side you need the key was asymmetrical and use the public key to verify. May be send the token to server save you problems. Depends on the operation could take the risk, as long as the token is used for autenthication on the server and it performs the validation
Is there any client-side library to decode HS256 for me to use? Or is it bad practice and should be avoided.
In fact, you do not need any library. The payload is base64 url encoded, and can be easily decoded in any programming language. You would need a library to verify digital signature. Take a look at jwt.io
I want to create a Rails application which exposes an API to be consumed by only authorised client applications (will be mobile apps for iOS / android). I've not started working on the app yet, but the primary method of accessing the underlying data will be through the api. I've been looking at using the grape gem, but would need to add an authentication layer to it. I was thinking about using devise and adding another model for storing client details, api key and secret key. Upon sign in through the api, the api key and secret are returned. The API key is transmitted with each request, but the secret key is not. Instead, it is used to sign each request; the request parameters are ordered by name, hashed using the secret key as the hash key. This signature is then added as a parameter to the request.
Does this system of authentication sound logical and secure?
I tried to prototype the system earlier, but ran into difficulty signing up a user using JSON with devise. At first I was getting a CSRF error. I then turned off protect_from_forgery and was getting another error. Is it safe to turn this off if I am authenticating in this way?
Yes you can turn off rails CSRF protection since you are using a different authenticity method as long as a date or timestamp is always inside the parameters that are being signed. You can use this to compare the request time to the server time and make sure you aren't undergoing a replay attack.
protect_from_forgery helps you protect your HTML forms. If you're consuming JSON from mobile clients, you don't need it.
Here's what I would do if I were you:
on user's account page, have a button that says "(re)generate API key"
client then embeds this key into his calling code and passes with each request.
your API server checks whether this API key can be used with this client id.
Very easy to implement and serves well.
Signing parameters also works and I used it in several projects with success. But it increases code complexity without any real gain (secret key is on the client, attacker already knows it).