Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uses non-recommended authentication scheme #87

Closed
RyanAfrish7 opened this issue Dec 4, 2016 · 5 comments
Closed

Uses non-recommended authentication scheme #87

RyanAfrish7 opened this issue Dec 4, 2016 · 5 comments
Milestone
3.0.0

Comments

@RyanAfrish7
Copy link

passport-jwt's ExtractJwt.fromAuthHeader() uses the following http header:

Authorization: JWT JSON_WEB_TOKEN_STRING.....

But RFC 6750 clearly specifies that access token based authentication must use Bearer as the authentication token. The non-recommended scheme specification would lead to conflicts.
@mikenicholson
Copy link
Owner

JWT is not strictly used with the OAuth framework. It can be used within the OAuth2.0 framework or as a standalone authentication mechanism.

While the default scheme of JWT used in ExtractJwt.fromAuthHeader() doesn't comply with RFC 6750, the library provides ExtractJwt.fromAuthHeaderWithScheme(auth_scheme). This leaves it up to the user to decide if they are using JWT within the context of an OAuth2.0 framework or their own custom auth scheme and implement accordingly.

I wish the default value better complied with OAuth2.0 but I did not originally implementing this library with OAuth in mind. Changing the default value would necessitate a major version # rev since it would break compatibility for anyone relying on the old default behavior.

I'll tag this as 3.0.0 for now but I don't intend to fix it until I have better reasons to cut a major release since the library provides a path RFC 6750-compliant implementation already.

@mikenicholson mikenicholson added this to the 3.0.0 milestone Dec 4, 2016
@JemiloII
Copy link

Can we have it not look for JWT in the header and have it retrieve just the token. I don't like the stub.

@mikenicholson
Copy link
Owner

@JemiloII Authorization headers typically contain an authentication scheme along with the token or auth parameter. I think it was RFC 2617. I'm going to stick with the RFC compliant behavior.

If you don't like the standard behavior you can write your own extractor function.

@jrista
Copy link

jrista commented Jan 11, 2017
edited
Loading

"This leaves it up to the user to decide if they are using JWT within the context of an OAuth2.0 framework or their own custom auth scheme and implement accordingly."

Technically speaking, JWT is the "custom auth scheme", while Bearer is the standards compliant scheme required by the JWT specification itself as well as OAuth specs. Defaulting to a NON-standard scheme is a bad idea, as Ryan rightly pointed out in his first post.

@akoskm
Copy link

akoskm commented Feb 8, 2017
edited
Loading

For the sake of completeness, the code for the rfc6750 variant goes like this:

jwtOptions.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme('Bearer');

use this with the example provided in https://github.com/themikenicholson/passport-jwt#configure-strategy.

Thanks @themikenicholson for putting this together! 🍾

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
5 participants
@jrista @mikenicholson @akoskm @JemiloII @RyanAfrish7