tangara goh wrote:And also after the JWT token is verified, how is the User being transported to a 3rd party that is using OAuth2 ?
Furthermore, how does it take place in a AWS setting?
Stephan van Hulst wrote:JWT token are just one of the many ways you can implement data exchange between hosts.
JWT tokens come in different flavours. Transparent JWT tokens contain information like the user ID that was authorized. When you're using these you don't have to store any tokens anywhere, in theory. Your server just validates the token, checks that it hasn't expired, and then does with the user ID from the token what it wants. The client could theoretically request a new token before every request and nothing would get stored. It's common for the client to save the token in a cookie or user session though.
Opaque tokens don't contain information that is accessible by the web service. The web service must present the token to the authentication provider that generated the token, which will then validate the token and return a user ID or other info back to the web service. In this case, the authentication provider must store data that's associated with the token. It may still store data in the token itself, but it will encrypt the token to make it unreadable to anyone but itself.
tangara goh wrote:And also after the JWT token is verified, how is the User being transported to a 3rd party that is using OAuth2 ?
If the web service validates a transparent token, the user info will be present in the token itself.
If the token is opaque, it must be traded for user information with the authentication provider.
Furthermore, how does it take place in a AWS setting?
What exactly do you want to achieve?
tangara goh wrote:Will it be ok if the token and secret being shown in the client's browser end ?
After a User is verified by Spring Security JWT module correctly, how is OAuth2 come into the picture ?
I am totally confused how the flow of things.
The user will be re-directed to a OAuth2 server for another authentication?
Stephan van Hulst wrote:
tangara goh wrote:Will it be ok if the token and secret being shown in the client's browser end ?
I don't know what you mean by this. What secret are you talking about? And why would you want to show a token in the browser? Once the application client has a token from the authorization server, they just include it in every request to the resource server. There's nothing else the client should do with the token.
tangara goh wrote:For example, we can obtain a key and token from site like Github which provide a OAuth2 feature and developer can use as a sandbox. As a user, you can see the key and secret.
Isn't that the same as showing the token and secret to the client browser?
Will JWT layer be needed if after that the user is re-direct to another site
is that when the OAuth2 comes into the picture ? and only when this layer of security is passed then the user will be able to go to another site and can go back to the home back as needed.
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime. |