Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
How to do Socket.io Authentication #462
Say suppose, I am building a realtime application using FeathersJS socket.io and the client obtains the JWT from an different server (Not the FeathersJS server), then how do I authenticate the incoming socket connections on the FeatherJS server using the JWT.
Should I use something like socketio-jwt (https://github.com/auth0/socketio-jwt)
Thanks in advance.
BTW FeathersJS is Awesome !!
@anoopmd, do you have full control over serverA and serverB? You would need to program serverB so that it has a reliable method of verifying the token received from serverA. We already have a great solution for putting together extremely flexible authentication with the new prerelease version of feathers-authentication. I'm fairly certain that you would be able to use the new feathers-authentication-local plugin with a custom verifier to do what you want to do. The first step will be to upgrade your application to firstname.lastname@example.org. This is still a pre-release version. It's fully ready for use, but the docs are pending.
There is no need for a custom verifier and local auth. If both server A and server B are using the same secret to generate JWTs a JWT issued by server A will work with Server B if it is trying to verify that the token is valid. This is the main point of JWT.
If Server A and B are not using the same secret then it won't work. You'd have to treat it like any other auth flow. Where you take Server A's JWT and exchange it for a Feathers JWT and then use the Feathers JWT for every API request.
If both server are using the same token secret and you are just looking to decouple your auth service from other services, this is already possible. JWT auth attempts to populate and
Now, if you need to verify that the token hasn't been revoked, then you would also need a hook to check against some service to verify that the token hasn't been revoked.