Bubble JWT (JSON Web Token) authentication is wrong

In short, I do not understand the JSON Web Token authentication schema

Screen Shot 2021-04-15 at 9.11.55 AM1824×311 35.4 KB

The Access Token Endpoint makes sense to me. Scope could make sense - although the server should send that not us. Iss is a login user, which is fine - but you need a password too. The private key is never shared to the client so that is unclear.

To go a bit more in detail on this, let’s take a step back and talk about JSON Web Token authentication.

I think: Flask-JWT — Flask-JWT 0.3.2 documentation and What is secret key for JWT based authentication and how to generate it? - Stack Overflow answer it pretty well.

The user sends in the username and password to an authentication endpoint.

We check the username and a hash of the password against those stored in our database.

Then we pass back a JWT - which is a string with three parts header.payload.signature. This is compiled on the server side, an example is here:

• JSON Web Tokens - jwt.io

The signature at the end is the only part that is really encoded - the rest is just plaintext information. This is generated on the server side - so no one can ever see it - and is an HMACSHA256 of (header +“.” + payload, secret). The secret is what we typically see as FLASK_SECRET and is just a long sequence of random characters. Sometimes the secret itself is base64 encoded, but not always.

The data can also includes scopes and things like that. This data cannot be changed because it is signed and you can see that in the signature.

The user then really doesn’t care. They can take this JWT and run to the moon with it.

The full path thus looks like:

Screen Shot 2021-04-15 at 9.14.36 AM1156×800 65.8 KB

This all to say, what the living crap is the authentication scheme proposed in the JWT?

Notes:

I have looked at the issues of:

• Firebase Authentication with JSON Web Token - #5 by juan.hoyos4 . The firebase authentication scheme is described here: Create Custom Tokens  |  Firebase Authentication. This is a back-end process, and it explicitly states: " You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.". Thus, it seems like the proposal here is re-doing what Firebase already does?
• Does bubble use token based authentication? - no answer
• Get JSON Web Token (JWT) from bubble.io - #2 by Jici - no answer
• Need Help: JSON Web Token authentication and automatic update - no answer
• JWT Encoder HS512 - literally someone created a new plugin to deal with this.

JWT’s are the backbone of modern internet infrastructure, how are there so many unanswered questions with this?

Because there’s too many difference on how JWT is used in API.
In some case, you will not use the Bubble native JWT process.
Two example: Zoom have JWT token. You don’t need to use that in JWT auth in Bubble because the JWT token is provided as a bearer api key. So you call endpoint directly with the JWT.
In Google, the JWT provided need to be used in Bubble JWT Auth. It will look like this:

screenshot-bubble.io-2021.04.15-09_38_48844×644 29.4 KB

I didn’t get time to check for the Jitsi one and this one is special because the token is use in an iFrame and seem to be created on the fly.

Hi Jici, what did you use for your private key here? My Private key is WAY shorter.

EDIT, I made a service account and got the key. I had to remove all of the “\n” line breaks when inputting to bubble but now the call works. Hopefully this works long-term! Thank you again Jici - true legend

You need to create a Google Service Account JWT.

Once the key is created, you will get a file that contain the JWT token to use

Thanks! I was able to figure that part out. Didn’t notice it said RSA so that was a good lead. Thanks again!

Hi Jici, sorry to bother again -_- I am able to run the Google calls easily via Bubble API Connector, but when I try to run these calls in-app, I get the following error:

API Connector error: the call cmPEV0.cmPEX0 is missing, please reinitialize your calls.

The call is initialized and is even recognized in the workflow properly. Could it be that this is an issue with JWT?

Seem more a Bubble bug to me.
I suggest to completely recreate the whole API in a new one and see if you get the same error.

Hey @Jici, can I ask specifically about the JWT auth for Zoom. I’m trying to create a scenario where meetings in database are created in Zoom a few days ahead of time and then details of the meeting are passed from Zoom to my database to then be passed to attendees. Looking at the docs JWT as opposed to OAuth is the best way to do this as I can set it up as a backend workflow and keep generation new JWT tokens and then the meeting in Zoom > repeat.

My question is how do I generate the tokens (would you recommend a plugin) and then, if I understand your last message, I add that dynamically to the header of each API call? If you could share a screenshot like the one for Google Calendar that would be incredibly helpful.

Many thanks

Hi @martin9
The JWT token in Zoom is easy to use.
Just to be sure, you are doing this in your own account right?
If yes, in your Dev Zoom account, your will be able to create the Zoom JWT. Make it expire a long time in the future using “other” in the expiration time section. It will work like an API key. If you keep it private, there’s no problem. You use this in a Authorization: Bearer jwttoken header.

Hi @Jici
Yes, using it for my account only.
That sounds good. I’ll give it a try. I was concerned about security but you’re right, I probably don’t need to be at this point.
I might hook this up to create new tokens in the backend once I’m all set up. Json Web Token Plugin | Bubble
Do you know if for the method you describe I can use Authorization: Bearer jwttoken header. asa a shared header for all calls?
Apologies for all the questions, I’m pretty new to world of API.
Thanks for your support

The best is to use Bubble Auth “Private key in header”

screenshot-bubble.io-2021.12.03-08_32_34952×213 11.5 KB