1

I know the question is kind of broad but let me narrow down. I have built a small social network with laravel and I am looking forward to building the api with dingo my problem is I will like to know the developers using my api(Developer authentication) this gets me confused because a developer using the api will have to authenticate users of my site to post or get information about them... I would like to know how this authentication should work.

Say a developer dev@gmail.com with password 'dev123' wants to get a particular user's post and the url the the post is mydomain.com/api/users/445/posts/4 and user 445 has email user@gmail.com and password 'user123'. How do I manage handling developer authentication and user authentication with jwt. I have looked at some tutorials on jwt but confused whether it's the api user(developer) or platform user who is being authenticate. Thanks in advance, I will appreciate a tutorial covering such if available.

Fenn-CS
  • 863
  • 1
  • 13
  • 30

1 Answers1

0

How do I manage handling developer authentication and user authentication with jwt.

Every user and every developer on every device will receive his own bearer token once he logs in via a method you need to choose. As part of the bearer token you can encode custom data, e.g. user ids or user roles (or probably better hashes).

Extracting this information from the token you can use it to give access to specific resources depending on user id, role or whatever you choose.

See https://stormpath.com/blog/jwt-the-right-way for examples what "claims" you can entrust a JWT with, for example:

//header
{
    "alg": "HS256", //denotes the algorithm (shorthand alg) used for the  signature is HMAC SHA-256
    "typ": "JWT" //denotes the type (shorthand typ) of token this is
}

//claims
{
    "sub": "tom@stormpath.com",
    "name": "Tom Abbott",
    "role": "user"
}
andig
  • 13,378
  • 13
  • 61
  • 98
  • thanks, but I dont understand when you say via a method I need to choose. and I only see user claims in the api request does that mean there's no need for developer info in the request with the token? – Fenn-CS Sep 08 '16 at 10:05
  • If you authenticate a developer (i.e. a developer logs in) you can hand him a token with role "developer". When a request then comes in with valid token including "developer" role you can be sure it's an developer and authorize access to resources that require developer or owner to access. – andig Sep 08 '16 at 10:52