[ANN] JSONWebToken
Locked
 
|
Hi,
thanks to the inquiry of Sven I published an implementation of JSONWebToken to smalltalkhub. It is available at For those who don't know JSONWebToken or short JWT pronounced "jot" is a token format suitable for authentication and authorization. The token consist of a header, a payload and a signature. The header defines crypto algorithms, compression and other things needed to read a token on reception. The payload is called a claim set which is basically a dictionary with well-known and custom keys. If we think about OAuth or OpenId the values contained map directly to JWT claims. For OpenID connect which is an identification mechanism on top of OAuth the usage of JWT is one of the building blocks. What are the advantages in using JWT? - it defines a header for encoding the content so it is quite flexible in the ways compression and encryption of the key is done - defines a payload which maps arbitrary keys and there is a set of well-known keys that implementations of OAuth, OpenID can understand - defines a signature that makes it easy to trust the information contained or to give the token to someone who is not trusted - token format is a single line string so it can be used e.g. in HTTP authentication headers A problem JWT can solve: In our company we have a lot of little REST servers serving some duties. To minimize the chaos I want to have a central authentication and authorization point. If we assume having 20 images running and we look at typical way how authorization works: there is image A (Authentication), image S (Service) und client C. Client C wants to use the service S 1. client C authenticates and retrieves authorization information from A (or from S which redirects him to A) 2. client C hands out the authorization information to S 3. S needs to check at A if the information is valid (client C could have modified it or generated it) 4. S grants C access Taking the assumption of having 20 service images, every image would need to get back to A in order to check authorization information. The more services images you have the more load it will put on A. In a JWT use case scenario the same would look like 1. client C authenticates and receives a JWT containing authorization information. The token is signed by A 2. client C hands out JWT to service S 3. S checks the signature of A and knows that the authorization information contained is valid. 4. S grants C access FYI, Norbert |
|
|
2016-07-22 10:17 GMT+02:00 Norbert Hartl <[hidden email]>:
Thank's for explanation Norbert. Now I don't need to google about it :) |
|
|
In reply to this post by NorbertHartl
Thank you for sharing Norbert. Best regards,2016-07-22 5:17 GMT-03:00 Norbert Hartl <[hidden email]>:
|
Re: [Pharo-users] [ANN] JSONWebToken
|
|
In reply to this post by NorbertHartl
> On 22 Jul 2016, at 16:17, Norbert Hartl <[hidden email]> wrote: > Hi! > Taking the assumption of having 20 service images, every image would need to get back to A in order to check authorization information. The more services images you have the more load it will put on A. In a JWT use case scenario the same would look like > > 1. client C authenticates and receives a JWT containing authorization information. The token is signed by A > 2. client C hands out JWT to service S > 3. S checks the signature of A and knows that the authorization information contained is valid. > 4. S grants C access thank you for the information! I have one rather specific question. How is the token normally transported from C to S? Part of the body/data of a POST/PUT/GET? A custom header inside the HTTP request? kind regards holger |
Re: [Pharo-users] [ANN] JSONWebToken
|
|
> Am 22.07.2016 um 11:47 schrieb Holger Freyther <[hidden email]>: > > >> On 22 Jul 2016, at 16:17, Norbert Hartl <[hidden email]> wrote: >> > > > Hi! > >> Taking the assumption of having 20 service images, every image would need to get back to A in order to check authorization information. The more services images you have the more load it will put on A. In a JWT use case scenario the same would look like >> >> 1. client C authenticates and receives a JWT containing authorization information. The token is signed by A >> 2. client C hands out JWT to service S >> 3. S checks the signature of A and knows that the authorization information contained is valid. >> 4. S grants C access > > thank you for the information! I have one rather specific question. How is the token normally transported from C to S? Part of the body/data of a POST/PUT/GET? A custom header inside the HTTP request? It is up to you how you like to do it. It could be: - Client C asks A for authorization and gets back a JWT in the response body - Client C adds the JWT token as HTTP Header "Authorization: Bearer [token]" to ask the service in a usual fashion - Service S checks signature of token and extracts permission set and grants them or - Client C asks service S to do something - Service S redirects C to A giving a redirect_url as query parameter in the url - A checks authorization with C and then redirects the request to the request_uri having the token as query parameter of the uri or - Client C asks service S to do something - Service S redirects C to A giving a redirect_url as query parameter in the url - A checks authorization with C and then redirects the request to the request_uri having an exchange code in the query parameters - S exchange at A the exchange code with authorization token There are plenty of scenarios possible. It depends if it is about authorization or authentication and which "standard" to use. You can always roll your own. If you have many services it could be feasible to combine all permissions you need into one JWT then send it to A. If your claims are valid you get back the signed token from A. You could then use the same token for all your services…. Hope this helps, Norbert |
«
Return to Pharo Smalltalk Developers
|
1 view|%1 views
| Free forum by Nabble | Edit this page |