Menu
I'm new to JWT. I have an endpoint for session creation. A request is made by my mobile app. Currently I have it so that when a user signs in successfully, I return the JWT in the Authorization Bearer header:
new_conn
|> put_status(:created)
|> put_resp_header("authorization", "Bearer #{jwt}") #<-----------
|> render("show.json", session: user)
However, this is a little tricky to read from my client side. Is it safe for me to return it in the JSON response instead?
931
When the client sends their credentials to the server (to exchange them for a token), the recently issued token can be returned in the response payload as text or as JSON, it's up to you:
HTTP/1.1 200 OK
Date: Wed, 19 Apr 2017 09:51:12 GMT
Content-Type: text/plain
xxxxx.yyyyy.zzzzz
HTTP/1.1 200 OK
Date: Wed, 19 Apr 2017 09:51:12 GMT
Content-Type: application/json
{ "token" : "xxxxx.yyyyy.zzzzz" }
What you must keep in mind is the communication between client and server: It must be done over HTTPS to ensure that the message won't be tampered with.
And when the client sends the token to the server, it should be sent in the Authorization header (again over HTTPS):
GET /api/greetings HTTP/1.1
Host: example.org
Authorization: Bearer xxxxx.yyyyy.zzzzz
The Authorization header is supposed to carry credentials. And when talking about an authentication schema based on tokens, the tokens are credentials and frequently prefixed with Bearer, that indicates the authentication schema. This answer will shed some light on this.
Finally, it is worthwhile to mention that the Authorization header is designed to be used in the request and not in the response.
134
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
