Forum Academy Marketplace Showcase Pricing Features

Bubble JWT (JSON Web Token) authentication is wrong

In short, I do not understand the JSON Web Token authentication schema

The Access Token Endpoint makes sense to me. Scope could make sense - although the server should send that not us. Iss is a login user, which is fine - but you need a password too. The private key is never shared to the client so that is unclear.

To go a bit more in detail on this, let’s take a step back and talk about JSON Web Token authentication.

I think: Flask-JWT — Flask-JWT 0.3.2 documentation and What is secret key for JWT based authentication and how to generate it? - Stack Overflow answer it pretty well.

The user sends in the username and password to an authentication endpoint.

We check the username and a hash of the password against those stored in our database.

Then we pass back a JWT - which is a string with three parts header.payload.signature. This is compiled on the server side, an example is here:

The signature at the end is the only part that is really encoded - the rest is just plaintext information. This is generated on the server side - so no one can ever see it - and is an HMACSHA256 of (header +"." + payload, secret). The secret is what we typically see as FLASK_SECRET and is just a long sequence of random characters. Sometimes the secret itself is base64 encoded, but not always.

The data can also includes scopes and things like that. This data cannot be changed because it is signed and you can see that in the signature.

The user then really doesn’t care. They can take this JWT and run to the moon with it.

The full path thus looks like:

This all to say, what the living crap is the authentication scheme proposed in the JWT?

Notes:

I have looked at the issues of:

JWT’s are the backbone of modern internet infrastructure, how are there so many unanswered questions with this?

Because there’s too many difference on how JWT is used in API.
In some case, you will not use the Bubble native JWT process.
Two example: Zoom have JWT token. You don’t need to use that in JWT auth in Bubble because the JWT token is provided as a bearer api key. So you call endpoint directly with the JWT.
In Google, the JWT provided need to be used in Bubble JWT Auth. It will look like this:


The best thing you can do is to share the API doc url and maybe someone can jump it.

I didn’t get time to check for the Jitsi one and this one is special because the token is use in an iFrame and seem to be created on the fly.

2 Likes

Hi Jici, what did you use for your private key here? My Private key is WAY shorter.

EDIT, I made a service account and got the key. I had to remove all of the “\n” line breaks when inputting to bubble but now the call works. Hopefully this works long-term! Thank you again Jici - true legend

1 Like

You need to create a Google Service Account JWT.

Once the key is created, you will get a file that contain the JWT token to use

Thanks! I was able to figure that part out. Didn’t notice it said RSA so that was a good lead. Thanks again!

1 Like

Hi Jici, sorry to bother again -_- I am able to run the Google calls easily via Bubble API Connector, but when I try to run these calls in-app, I get the following error:

API Connector error: the call cmPEV0.cmPEX0 is missing, please reinitialize your calls.

The call is initialized and is even recognized in the workflow properly. Could it be that this is an issue with JWT?

Seem more a Bubble bug to me.
I suggest to completely recreate the whole API in a new one and see if you get the same error.