Betty Blocks Forum Show menu

Back
New topic Closed topic
avatar image
1
authorization flow with JWT
By Gerhard , Created , last editted

Hello,

I'm creating an REST API for one of our products and i've got some questions about the authorization and authentication. (This is a REST API that a third party has to consume.)

I'm investigation if its possible to use JWT for this. I've thought up a flow and have questions about it:

1. Is this a conventional flow?
2. How to validate the JWT

This is the flow:
Let a user log in and give them a secret that developers of the third party who consume our REST API can use to generate a JSON Webtoken. 
In the calls to our webservice the third party sends a JWT based on the payload and the secret. You could say they that's an equivalent of the generate_jwt expression.
The JWT is sent through the Authorization header. The payload also is sent. If some malicious person changes the payload, the JWT should be invalid and then i want to render a template with an error message.

I can decode the JWT with the expression decode_jwt and that gives the payload. But i think i want to validate the JWT instead of that. Or should i compare the decoded JWT with the payload that is being sent? Or am i missing an expression named validate_jwt?

Kind regards,

Gerhard


Hello,

I'm creating an REST API for one of our products and i've got some questions about the authorization and authentication. (This is a REST API that a third party has to consume.)

I'm investigation if its possible to use JWT for this. I've thought up a flow and have questions about it:

1. Is this a conventional flow?
2. How to validate the JWT

This is the flow:
Let a user log in and give them a secret that developers of the third party who consume our REST API can use to generate a JSON Webtoken. 
In the calls to our webservice the third party sends a JWT based on the payload and the secret. You could say they that's an equivalent of the generate_jwt expression.
The JWT is sent through the Authorization header. The payload also is sent. If some malicious person changes the payload, the JWT should be invalid and then i want to render a template with an error message.

I can decode the JWT with the expression decode_jwt and that gives the payload. But i think i want to validate the JWT instead of that. Or should i compare the decoded JWT with the payload that is being sent? Or am i missing an expression named validate_jwt?

Kind regards,

Gerhard
Answers
Sort by:

This topic is closed.