TL;DR If you have very simple scenarios, like a single client application, a single API then it might not pay off to go OAuth 2.0. On the other hand, if there are lots of different clients (browser-based, native mobile, server-side, etc) then sticking to OAuth 2.0 rules might make it more manageable than trying to … Read more
If you are using only a secret key then using RS256 won’t work, as it’s based on a private/public key pair. Using only a secret key usually indicates H256. In my answer I assume that what you call MYSECRET is just the content of certificate.pem. Anyways, I would assume your string has to contain —–BEGIN … Read more
Current Situation UPDATE 2016-12-13 : the issue referenced below is now marked fixed, so the hack below is no longer necessary which Spring 4.3.5 or above. See https://github.com/spring-projects/spring-framework/blob/master/src/docs/asciidoc/web/websocket.adoc#token-authentication. Previous Situation Currently (Sep 2016), this is not supported by Spring except via query parameter as answered by @rossen-stoyanchev, who wrote a lot (all?) of the Spring … Read more
SIMPLE APPS For a simple app it’s ok It depends on the data you are exposing via this simple app, because in Europe for example GDPR law is very strict for anyone that ends up in a data breach situation for Personal Identifiable Information(PII) due to the lack of security measures, and the complexity of … Read more
RFC 7519 states that the exp and iat claim values must be NumericDate values. NumericDate is the last definition in Section 2. Terminology, and is defined as the number of seconds (not milliseconds) since Epoch: A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. … Read more
Here’s a way to download it on the client using the download attribute, the fetch API, and URL.createObjectURL. You would fetch the file using your JWT, convert the payload into a blob, put the blob into an objectURL, set the source of an anchor tag to that objectURL, and click that objectURL in javascript. let … Read more
I found a base implementation of a Json Web Token and expanded on it with the Google flavor. I still haven’t gotten it completely worked out but it’s 97% there. This project lost it’s steam, so hopefully this will help someone else get a good head-start: Note: Changes I made to the base implementation (Can’t … Read more
The JWT is stored on browser, so remove the token deleting the cookie at client side If you need also to invalidate the token from server side before its expiration time, for example account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin, take a look at Invalidating JSON Web Tokens for some commons … Read more
JWT is a token format which is used in security protocols like OAuth2 and OpenID Connect. How to get the token from the authorization server depends on the grant flow you are using. There are 4 grant flows defined in OAuth 2.0 that are intended for different clients and uses. Authorization code grant This grant … Read more