-
Notifications
You must be signed in to change notification settings - Fork 213
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uses non-recommended authentication scheme #87
Comments
JWT is not strictly used with the OAuth framework. It can be used within the OAuth2.0 framework or as a standalone authentication mechanism. While the default scheme of I wish the default value better complied with OAuth2.0 but I did not originally implementing this library with OAuth in mind. Changing the default value would necessitate a major version # rev since it would break compatibility for anyone relying on the old default behavior. I'll tag this as 3.0.0 for now but I don't intend to fix it until I have better reasons to cut a major release since the library provides a path RFC 6750-compliant implementation already. |
Can we have it not look for JWT in the header and have it retrieve just the token. I don't like the stub. |
"This leaves it up to the user to decide if they are using JWT within the context of an OAuth2.0 framework or their own custom auth scheme and implement accordingly." Technically speaking, JWT is the "custom auth scheme", while Bearer is the standards compliant scheme required by the JWT specification itself as well as OAuth specs. Defaulting to a NON-standard scheme is a bad idea, as Ryan rightly pointed out in his first post. |
For the sake of completeness, the code for the rfc6750 variant goes like this:
use this with the example provided in https://github.com/themikenicholson/passport-jwt#configure-strategy. Thanks @themikenicholson for putting this together! 🍾 |
passport-jwt's
ExtractJwt.fromAuthHeader()
uses the following http header:Authorization: JWT JSON_WEB_TOKEN_STRING.....
But RFC 6750 clearly specifies that access token based authentication must use
Bearer
as the authentication token. The non-recommended scheme specification would lead to conflicts.The text was updated successfully, but these errors were encountered: