1

I have a Java spring backend that is using LDAP for user accounts and spring-security for authentication.

I also use spring-security-oauth2 for client authentication and I have a client authenticated with a JWT.

Using that JWT, how can I use NodeJS to decrypt the JWT and retrieve the session information (user and roles) in my database?

I also have a X-XSRF-TOKEN I think I need to verify (cookie).

Is it possible?

Dimitri Kopriwa
  • 13,139
  • 27
  • 98
  • 204

1 Answers1

1

I have a Java spring backend that is using LDAP for user accounts and spring-security for authentication.

I also use spring-security-oauth2 for client authentication and I have a client authenticated with a JWT.

The whole idea of JWT is that it is stateless (no sessions). If you have an unique solution where sessions are somehow tied to JWT, you should include a diagram or more description.

Using that JWT, how can I use NodeJS to decrypt the JWT and retrieve the session information (user and roles) in my database?

You can use JsonWebToken library and store/retrieve the username (or some other type of user or session identification token) in the subject field.

I also have a X-XSRF-TOKEN I think I need to verify (cookie).

CSRF/XSRF is usually disabled in JWT applications (see accepted answer here CSRF Token necessary when using Stateless(= Sessionless) Authentication?). In spring boot the middleware is enabled by default, but can be disabled like so:

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable();
    }
}
Community
  • 1
  • 1
Michal
  • 2,078
  • 23
  • 36
  • `I wonder, why would you decode the token in NodeJs if you actually need to work with it in the backend?` NodeJS is a backend, and I want to extend the backend with nodejs and use the same users and perms, does it make more sens to you now? – Dimitri Kopriwa Jun 14 '18 at 08:20
  • I updated my response with a more relevant NodeJs library. – Michal Jun 14 '18 at 23:17
  • The jwt is not tied to the session but the session is required to get the JWT. But now I remember you only need it to get the JWT. I wonder because the JWT contains roles and users, how can I verify that the JWT as not been modified (within node)? – Dimitri Kopriwa Jun 15 '18 at 23:01
  • @BigDong In my view of JWT, needing session to get the JWT still doesn't make sense. JWT is usually passed in request header for every request, which is what makes it suitable for stateless operation. The JWT is issued by the server, using secure password. Unless an attacker gets hold of that password, they should not be able to modify the token. I suggest doing some reading on the principles of JWT https://jwt.io/introduction/ – Michal Jun 16 '18 at 00:34
  • The issue I am trying to understand here is how to validate the token from node? Can we just trust the user? – Dimitri Kopriwa Jun 19 '18 at 21:51
  • 1
    @BigDong Good reading here: https://stackoverflow.com/questions/27301557/if-you-can-decode-jwt-how-are-they-secure – Michal Jun 21 '18 at 11:36
  • This did help ensure I was understanding properly, all we need is a small test to see how to read/decode/edit the token without risk. Thanks for clarification – Dimitri Kopriwa Jun 22 '18 at 06:14