Giter VIP home page Giter VIP logo

Comments (5)

akoskm avatar akoskm commented on June 20, 2024 3

For the sake of completeness, the code for the rfc6750 variant goes like this:

jwtOptions.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme('Bearer');

use this with the example provided in https://github.com/themikenicholson/passport-jwt#configure-strategy.

Thanks @themikenicholson for putting this together! 🍾

from passport-jwt.

mikenicholson avatar mikenicholson commented on June 20, 2024 1

JWT is not strictly used with the OAuth framework. It can be used within the OAuth2.0 framework or as a standalone authentication mechanism.

While the default scheme of JWT used in ExtractJwt.fromAuthHeader() doesn't comply with RFC 6750, the library provides ExtractJwt.fromAuthHeaderWithScheme(auth_scheme). This leaves it up to the user to decide if they are using JWT within the context of an OAuth2.0 framework or their own custom auth scheme and implement accordingly.

I wish the default value better complied with OAuth2.0 but I did not originally implementing this library with OAuth in mind. Changing the default value would necessitate a major version # rev since it would break compatibility for anyone relying on the old default behavior.

I'll tag this as 3.0.0 for now but I don't intend to fix it until I have better reasons to cut a major release since the library provides a path RFC 6750-compliant implementation already.

from passport-jwt.

mikenicholson avatar mikenicholson commented on June 20, 2024 1

@JemiloII Authorization headers typically contain an authentication scheme along with the token or auth parameter. I think it was RFC 2617. I'm going to stick with the RFC compliant behavior.

If you don't like the standard behavior you can write your own extractor function.

from passport-jwt.

JemiloII avatar JemiloII commented on June 20, 2024

Can we have it not look for JWT in the header and have it retrieve just the token. I don't like the stub.

from passport-jwt.

jrista avatar jrista commented on June 20, 2024

"This leaves it up to the user to decide if they are using JWT within the context of an OAuth2.0 framework or their own custom auth scheme and implement accordingly."

Technically speaking, JWT is the "custom auth scheme", while Bearer is the standards compliant scheme required by the JWT specification itself as well as OAuth specs. Defaulting to a NON-standard scheme is a bad idea, as Ryan rightly pointed out in his first post.

from passport-jwt.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.