Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to do Socket.io Authentication #462

Closed
marshallswain opened this Issue Mar 23, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@marshallswain
Copy link
Member

marshallswain commented Mar 23, 2017

@anoopmd commented on Wed Feb 08 2017

Say suppose, I am building a realtime application using FeathersJS socket.io and the client obtains the JWT from an different server (Not the FeathersJS server), then how do I authenticate the incoming socket connections on the FeatherJS server using the JWT.

To clarify,
Server A : Gives you a JWT
Server B : FeathersJs Server
Client : Talks to Server A and gets the JWT. Now it needs to talk to ServerB.

Should I use something like socketio-jwt (https://github.com/auth0/socketio-jwt)
OR do you have any alternate recommendations ?

Thanks in advance.

BTW FeathersJS is Awesome !!


@marshallswain commented on Thu Feb 09 2017

@anoopmd, do you have full control over serverA and serverB? You would need to program serverB so that it has a reliable method of verifying the token received from serverA. We already have a great solution for putting together extremely flexible authentication with the new prerelease version of feathers-authentication. I'm fairly certain that you would be able to use the new feathers-authentication-local plugin with a custom verifier to do what you want to do. The first step will be to upgrade your application to feathers-authentication@1.0.x. This is still a pre-release version. It's fully ready for use, but the docs are pending.

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Mar 24, 2017

There is no need for a custom verifier and local auth. If both server A and server B are using the same secret to generate JWTs a JWT issued by server A will work with Server B if it is trying to verify that the token is valid. This is the main point of JWT.

If Server A and B are not using the same secret then it won't work. You'd have to treat it like any other auth flow. Where you take Server A's JWT and exchange it for a Feathers JWT and then use the Feathers JWT for every API request.


If both server are using the same token secret and you are just looking to decouple your auth service from other services, this is already possible. JWT auth attempts to populate and entity from a service during the authenticate call. By default it assumes a local /users service but you can pass a client service instance pointed at your remote user's service when you configure authentication on your server.

Now, if you need to verify that the token hasn't been revoked, then you would also need a hook to check against some service to verify that the token hasn't been revoked.

@marshallswain

This comment has been minimized.

Copy link
Member Author

marshallswain commented Mar 25, 2017

I'm closing this because I think we have posted enough info for the answer. Please reopen if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.