0

How to send the JWT to a client just after client has authenticated without using Cookies when an html document body is needed to be sent too?

There are docs, blog posts, and tutorials, explaining the cookie-less jwt authentication and leveraging the use of Web Storage API to save the jwt client side. But all of them are trivial examples without sending an html document in http response body upon an authentication which is necessary in some real world applications I can imagine. A cookie can be sent in cookie http response header alongside with an html document in same response's body, I could not still come across a post explaining to do this with a jwt in response instead of a cookie. As I know there is not an API to reach the response headers from javascript in browser if one want to send the jwt in response headers alongside html document in response body.

sçuçu
  • 2,960
  • 2
  • 33
  • 60
  • I think I am missing something, since any solution I can think of seems not quite simple, and this is, authenticating with a pair of username password, is a rather common task in web development. – sçuçu Jan 17 '16 at 12:05
  • I have an idea, sending the jwt with cookie alongside with html document and when document is ready with a script saving cookie (non-http only) to _Web Storage_ then removing the cookie by setting its expire date to a past date. Yet this does not seem a simple solution. There must be another and quite simple way to achieve this very fundamental task when using jwt. – sçuçu Jan 17 '16 at 12:07
  • Addition to the above method: there should no back end point accepting requests with cookies as a authentication tool. – sçuçu Jan 18 '16 at 07:02

3 Answers3

2

I have handled your scenario in my project and it can be done in two ways depending on your technology stack you are using and environment constraints, and using OAuth is not mandatory.

Method 1

Send the JWT embedded in the HTML page as a tag. It wont be rendered on the page but can be parsed by you. However, it will be visible in the source window of the browser but it doesnt matter as that would be a protected page and once the next page is rendered, it will not be available.

Method 2

You can send the JWT in a cookie for the first time with a http-only constraint. Handling it over https would bring in extra leverage. Also, like you mentioned, you can delete the cookie. In case you are using AngularJS on your client side, you have the provision of securing cookies by restricting XHR from the same domain which would avoid the extra task of deleting the cookie.

In fact, @user981375 was mentioning about redirection which can be handled too by Method 1 above. In my case, server provided the redirection URL after successful login however, ajax wouldnt be able to see a 302 header instead would see a 200. So we intercepted that part on server and embedded the token into the 200 response page, i.e. redirected page which is parsed by the client.

Hanu
  • 1,087
  • 11
  • 21
1

I'm in the same boat, I could not figure out how to send JWT token to the client upon successful (or not) social login(s) where redirect was required. Things are simple when when you present user with a login/password and authenticate against your own server via AJAX, but no so simple when you 1) load your login page, 2) do a redirect to OAuth provider, 3) callback to your own server, 4) issue your own JWT token and ... then what?

There is a library out there that provides OAuth support from the client side. You authenticate against Facebook/Google (whatever) get their token back and then you make AJAX request to your own server for token validation. When token is validated by Facebook/Google (whatever) you can then issue your own JWT token with claims and send it as a response (AJAX) to your webpage.

Here is the library and nice article describing how to use it.

user981375
  • 639
  • 1
  • 5
  • 15
0

HTML documents are usually retrieved from a web application. Web applications are protected by a form of implicit authentication.

Web APIs are usually protected by explicit authentication and the JWT tokens are sent in an HTTP header (Authorization). This is not done automatically by the browser. You have to do this explicitly through JavaScript.

You could of course store the JWT token in a cookie and have it automatically sent to the server on each request.

See also my answer here.

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93
  • I am building a web application and a web api at the same time, web api to be used by my very web application itself. Above all I need a good CSRF mitigation so I need to use something like JWT, avoiding downsides of cookies in this regard. Having web application and the web api at the same time, which I do not see very uncommon, I need a means to send my jwt to client in first place, I mean just after authentication, together with the application's html document linked to js and css and media files possible. HTML doc and all linked files are things only authenticated users can see, as usual. – sçuçu Jan 18 '16 at 06:51
  • I get the the difference of web applications and web apis, and the difference of means of authentications for each of them. What I cannot get and quite thinking I cannot make people get by my not enough explanatory questions is "_how to send the jwt token from server to client i.e. in an http response just after the user is authenticated for the first time in a series of consecutive http requests_ without cookies when I also have html,css, js files to send", **not** "_how can I send my jwt from client to server in http request headers_ without cookies and with authentication bearer scheme etc" – sçuçu Jan 18 '16 at 06:59
  • Is my second comment to my question have a flaw, or bad practice for some reason if so for what reason? – sçuçu Jan 18 '16 at 07:00
  • @ışık OAuth2 defines different flows to get tokens to the client, depending on what kind of client you have. https://tools.ietf.org/html/rfc6749#section-1.3 – MvdD Jan 18 '16 at 07:54
  • Do I have to use Oauth or some service to achieve this, really. Answer bears the OAuth flow lines only. – sçuçu Jan 18 '16 at 17:57
  • @ışık You don't have to do anything, but these protocols are created for a reason. If you want to create a REST service that returns a JWT token, you can do that too, but it still won't be sent along requests automatically. – MvdD Jan 18 '16 at 19:29
  • I know and I actually have built one, returns a jwt token and I know I will send the token by writing a little bit code since browser do not send tokens automatically, these are not cookies. The problem was I was trying to protect the initial web app url with a jwt too. Now I will do it differently for initial url. – sçuçu Jan 19 '16 at 06:21