0

Supposed I have a web application that needs to authenticate a user. Instead of doing it on its own, it redirects the user to a dedicated authentication service.

There the user logs in, and a JSON web token (JWT) is created containing the claims for the user.

Now - how do I send back the JWT to the client app?

Basically, I could do a redirect again, but then I need to put the JWT into the url, and I want to avoid this (I guess it's not the best idea to have the token in the url visible for everyone with access to the browser history).

What else could / should I do?

I could imagine doing a POST back to the original server and sending the JWT inside the body. Then it would be hidden, and the original server could access the token anyway.

Any other ideas or suggestions?

Golo Roden
  • 140,679
  • 96
  • 298
  • 425

2 Answers2

2

OAuth, CAS, SAML, and OpenID are some protocols that address this situation. Usually it's pretty easy to deploy libraries that implement those.

Most suggestions would be re-implementing those flows :)

The "Server Flow" section in Google's OAuth2 authentication guide is an example of how the 3 entities (browser, website, authenticator) exchange tokens:

https://developers.google.com/accounts/docs/OAuth2Login

jspcal
  • 50,847
  • 7
  • 72
  • 76
-1

There a several ways to do this, depending on what kind of webapplication you have: A browser based (javascript) one or a server based (php, asp, etc) one. Fortunately these problems have already well-thought solutions. For user-authentcation check the OpenId Connect specification. It will give you the exact soltions to your question.

KLoozen
  • 364
  • 2
  • 4