In short, I do not understand the JSON Web Token
authentication schema
The Access Token Endpoint makes sense to me. Scope could make sense - although the server should send that not us. Iss is a login user, which is fine - but you need a password too. The private key is never shared to the client so that is unclear.
To go a bit more in detail on this, let’s take a step back and talk about JSON Web Token authentication.
I think: Flask-JWT — Flask-JWT 0.3.2 documentation and What is secret key for JWT based authentication and how to generate it? - Stack Overflow answer it pretty well.
The user sends in the username and password to an authentication endpoint.
We check the username and a hash of the password against those stored in our database.
Then we pass back a JWT - which is a string with three parts header.payload.signature
. This is compiled on the server side, an example is here:
The signature at the end is the only part that is really encoded
- the rest is just plaintext information. This is generated on the server side - so no one can ever see it - and is an HMACSHA256 of (header +“.” + payload, secret). The secret is what we typically see as FLASK_SECRET and is just a long sequence of random characters. Sometimes the secret itself is base64 encoded, but not always.
The data can also includes scopes and things like that. This data cannot be changed because it is signed and you can see that in the signature.
The user then really doesn’t care. They can take this JWT and run to the moon with it.
The full path thus looks like:
This all to say, what the living crap is the authentication scheme proposed in the JWT?
Notes:
I have looked at the issues of:
- Firebase Authentication with JSON Web Token - #5 by juan.hoyos4 . The firebase authentication scheme is described here: Create Custom Tokens | Firebase Authentication. This is a back-end process, and it explicitly states: " You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the
signInWithCustomToken()
method.". Thus, it seems like the proposal here is re-doing what Firebase already does? - Does bubble use token based authentication? - no answer
- Get JSON Web Token (JWT) from bubble.io - #2 by Jici - no answer
- Need Help: JSON Web Token authentication and automatic update - no answer
- JWT Encoder HS512 - literally someone created a new plugin to deal with this.
JWT’s are the backbone of modern internet infrastructure, how are there so many unanswered questions with this?