4

I am using Slim framework to return JSON to my Android device. I am currently working on login on my device. I am using 3 different ways to login: Facebook, Google and account login. When he takes account login he can register a new account or login with an existing one.

For security on my web service I thought to use JWT security. So I am reading and watching video's about how it works. I think I understand how it works, but I cannot find anything about how to implement it correctly.

The middleware I use for slim v3 is called: Slim-JWT-Auth. I found the following link to implement this in my slim framework, and it works correctly I think.

Now my questions:

  1. How do I generate my Token?
  2. When do I generate my Token?
  3. Do I also need a Token when using Google or Facebook sign-in? because they already use a Auth2.0 token?

I understand how it works but nobody is talking about when and how to implement it. So when do I need to generate the token (on login on the webservice?), and do I need to generate a token after every start of the app, or do I just need to wait until the token expires?

kevingoos
  • 3,785
  • 4
  • 36
  • 63
  • If you need more info, or a sample please let me know. – kevingoos Mar 03 '16 at 08:19
  • 1
    I think that you should generate the token whenever the user logs in through an account (if she uses Google or Facebook sign-in you should verify its validity by calling some Google/Facebook API, I guess), pass it to the client (e.g. like a session cookie) and validate it to ensure it's valid. For question 2, you can use one of several PHP libraries to generate the JWT (check on [jwt.io](http://jwt.io/)), and you **MUST NOT** include sensitive data inside the token since it is **not encrypted** (it is only Base64URL encoded) – user2340612 Mar 04 '16 at 09:06

1 Answers1

4

How do I generate my Token?

Since the middleware already includes firebase/php-jwt library you can use it to generate the token.

$now = new DateTime();
$future = new DateTime("now +2 hours");
$server = $request->getServerParams();
$payload = [
    "iat" => $now->getTimeStamp(),
    "exp" => $future->getTimeStamp(),
    "sub" => $server["PHP_AUTH_USER"]
];

$secret = "supersecretkeyyoushouldnotcommittogithub";
$token = JWT::encode($payload, $secret, "HS256");

When do I generate my Token?

In your api you can for example include a password protected route which returns the token. All other routes except /token are JWT authenticated. Client can request token with every request or just always bit before the old one expires.

$app->add(new \Slim\Middleware\HttpBasicAuthentication([
    "path" => "/token",
    "users" => [
        "test" => "test"
    ]
]);

$app->add(new \Slim\Middleware\JwtAuthentication([
    "secret" => "supersecretkeyyoushouldnotcommittogithub"
    "rules" => [
        new RequestPathRule([
            "path" => "/",
            "passthrough" => ["/token"]
        ])
    ]
]);

$app->post("/token", function ($request, $response, $arguments) {

    $now = new DateTime();
    $future = new DateTime("now +2 hours");
    $server = $request->getServerParams();

    $payload = [
        "iat" => $now->getTimeStamp(),
        "exp" => $future->getTimeStamp(),
        "sub" => $server["PHP_AUTH_USER"],
    ];
    $secret = "supersecretkeyyoushouldnotcommittogithub";
    $token = JWT::encode($payload, $secret, "HS256");
    $data["status"] = "ok";
    $data["token"] = $token;

    return $response->withStatus(201)
        ->withHeader("Content-Type", "application/json")
        ->write(json_encode($data, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT));
});

Do I also need a Token when using Google or Facebook sign-in? because they already use a Auth2.0 token?

There is no clear answer to this. It "depends". You could for example authenticate your /token route with Facebook or Google and return your own JWT token from there.

There is an work in progress more detailed example implementation of everything above you might want to check.

Mika Tuupola
  • 19,877
  • 5
  • 42
  • 49