11

I'm implementing OAuth (using rauth) and will be giving JWT tokens (using flask-jwt), javascript frontend (Angular1). I have done it for classical cookie/session based app. It works. Now I want to do it with JWT tokens.

If I understand correctly, user is redirected to provider (ex. Google), login into account, my server and provider do the magic, then provider redirect user back to my page. Now I got user profile and that ends the OAuth part. With normal session you give user cookies and the rest of stuff for setting up session, then redirect him to home page.

This is where I'm stuck. Is there any good practice how to give user JWT token after provider send him back? Give it to user as cookie on redirect to home page? Put it in header? As far as I know I need javascript to save token into LocalStorage/SessionStorage.

gcerar
  • 920
  • 1
  • 13
  • 24

3 Answers3

11

At the end of the day, the user will be redirected back to our app where a page now needs to be rendered. The only option I see is to return the JWT as a cookie because response headers aren't accessible in Javascript & the only other place would be to embed it in the DOM which would open it up to CSRF attacks.

When the browser is redirected from the OAuth provider it will only have an access code which can be exchanged for an access token on the server side. But best practice says you need to keep that access token secret (not pass it back to the browser).

There is a lot of debate about JWT's in cookies vs local/session storage but in this use-case I don't see any other option than to use cookies. All the use-cases I have seen that describe using browser storage assume an XHR request is being made to obtain the JWT. But this isn't an option in an OAuth flow because the entire browser has just been redirected back to our app.

I don't see another option (for the OAuth use-case) other than keeping the JWT in a cookie to be used for future API calls. But maybe I'm missing something.

Roy Brumby
  • 126
  • 2
  • 6
  • The problem, which I'm facing now, is that the jwt token may be too big for a cookie – Marc Jun 19 '19 at 12:35
0

Before passing control to Facebook auth, you can initiate a socket connection to your API, then probably show a loading status in your app. Afterwards let Facebook do it's thing. When it succeeds, it posts data to your backend. Your backend does it stuff and passes the JWT to frontend using the socket it created earlier. This seem like too much work & could come with extra bugs if you don't do it correctly.

davyCode
  • 399
  • 4
  • 4
0
const jwt = require("jsonwebtoken");

module.exports = {
    signToken: function (payload) {
        return jwt.sign(payload, "secret");
    },
};
weird people
  • 1
  • Remember that Stack Overflow isn't just intended to solve the immediate problem, but also to help future readers find solutions to similar problems, which requires understanding the underlying code. This is especially important for members of our community who are beginners, and not familiar with the syntax. Given that, **can you [edit] your answer to include an explanation of what you're doing** and why you believe it is the best approach? – Jeremy Caney Feb 07 '23 at 03:06