How to add JWT to authorization header?

php authentication http-headers jwt
33,721

Solution 1

So, You are pretty much correct with JWT. All you need to do when sending data from client to server (after JWT creation), is to add it to the request header. Many folks will try to keep along the same path as OAuth and add a Bearer token similar to the node snippet below:

var rp = require('request-promise');
options = {
  method: GET,
  uri: 'https://www.example.com/api/sample',
  headers: {
    Authorization: "Bearer <insert_your_JWT_here>"
  }
}
rp(options).then(function(res){
  <handle_response>
}

Granted I know you mentioned PHP, but the workflows are the same, its just the syntax is different.

Now, to verify that this token is present, the server would need to verify() that the token is valid with the secret that was defined. In every request made by the client, for an authorized endpoint, you would need to send this token everytime.

Solution 2

The user above was asking for a BROWSER-BASED means of settings authorization headers, or headers at ALL, for that matter.

(Node.js runs on the server. I realize that the accepted answer above refers to a SERVER authenticating to ANOTHER SERVER, and that the responder calling this "the client side code" is technically correct, with respect to server-to-server communication following the client-server model of who is requesting authorization with whom, but this does not address the true question: how does a browser modify it's authorization header to include a stored token etc.

Aside from the html href, which does not provide a means of accessing or altering headers sent, there are javascript means of sending requests. One can use a standard XHR to demonstrate how one sets the headers via javascript

xhr.open('GET', url, true);
xhr.setRequestHeader("Authorization", "Bearer " + yourtoken);
xhr.send();

Note: There should be a space after the Bearer keyword.

You may be able to find php-templated means of inscribing the token into the rendered page (hidden element?) but javascript running in the browser provides the means for manipulating the request headers. It's worth noting that cookies are automatically sent on all requests for a given domain, while local/session storage requires manually setting them usually.

Share:
33,721
michael-mammut
Author by

michael-mammut

Lateral recruit

Updated on January 09, 2022

Comments

  • michael-mammut
    michael-mammut over 2 years

    As described in the following slide, it is necessary that the client sends the jwt back to the server by an Authorization Header at the next request.

    enter image description here

    But how can I define the Authorization Header and add the JWT to the server?

    My current status is:

    1. User sends username and password to the server by a POST request.
    2. The server creates the the JWT.
    3. The server sends the signed JWT back to the client and saves it in a cookie.

    Now my questions:

    • In case of a Login:

      As I understand it, now its necessary to send the JWT back to the server. The server verifies the token and sends it back to finish the login process.

      How can I add the JWT to the Authorization Header?

    • In case of running a process and receiving data from a calculation:

      Do I understand right, that the client has to send the JWT from the login to the server and a second JWT with the data; or can I send the data by POST request?

  • michael-mammut
    michael-mammut over 7 years
    As is understand, your code snipped is from the server side? Is this right?
  • LostJon
    LostJon over 7 years
    The snippet i showed is from the client. In my response, the server would be uri = example.com/api/sample
  • michael-mammut
    michael-mammut over 7 years
    ok, so it is correct to say: i have to create the process to send the authentication header as a Bearer back to the server is to create on the client ( maybe with angularJS ) ?
  • LostJon
    LostJon over 7 years
    sounds right....and depending on how your server interprets the token, it can be Bearer or whatever keyword you used. Any JS framework can modify request headers before send.
  • LostJon
    LostJon over 7 years
    Make sure that if this is an ok answer, to mark as the answer; or feel free to ask if you are still confused.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How should I implement 'Token Based Authentication' to a set of web APIs in a secure way using PHP and MySQL (without using OAuth)?
Jwt Authentication error Argument 3 passed to Lcobucci\JWT\Signer\Hmac::doVerify()
How to properly use Bearer tokens?
Laravel JWT tokens are Invalid after refresh them in a authentication JWT approach
Authentication with JWT Laravel 5 without password
How to check auth token at entry point of flutter app
php not redirecting and logging in
How to isolate the HTTP headers/body from a PHP Sockets request
Get Request work in postman but doesn't work in browser
Secure user authentication frameworks, libraries