Comments (10)
lakhansamani
commented on June 2, 2024
1
@mihaa1 for backend cookie session is not recommended,
We refresh cookie session with session query for security reasons.
For backend I recommend using access_token.
from authorizer.
bright-coder
commented on June 2, 2024
1
Example in Golang SDK
`func (s *jwtAuthorizer) IsAuth() fiber.Handler {
return func(c *fiber.Ctx) error {
authHeader := c.GetReqHeaders()["Authorization"]
tokenSplit := strings.Split(authHeader, " ")
if len(tokenSplit) < 2 || tokenSplit[1] == "" {
return fiber.ErrUnauthorized
}
client, err := s.authorizerAdatper.GetClient(map[string]string{})
if err != nil {
return fiber.ErrUnauthorized
}
res, err := client.ValidateJWTToken(&authorizer.ValidateJWTTokenInput{
TokenType: authorizer.TokenTypeAccessToken,
Token: tokenSplit[1],
})
if err != nil {
return fiber.ErrUnauthorized
}
if !res.IsValid {
return fiber.ErrUnauthorized
}
// res.Claims["allowed_roles"] => ["users", "admin"]
// res.Claims["sub"] => uuid
if !slices.Contains(res.Claims["allowed_roles"].([]interface{}), "admin") {
return fiber.ErrForbidden
}
c.Locals("user_id", res.Claims["sub"])
return c.Next()
}
}
`
but i don't know the different between access_token and id_token.
from authorizer.
lakhansamani
commented on June 2, 2024
1
@bright-coder
access_token is used for accessing the APIs of authorizer
You can use id_token to user identity and authorizing your apis
from authorizer.
lakhansamani
commented on June 2, 2024
1
Yes
from authorizer.
mihaa1
commented on June 2, 2024
Thanks.
Will it make sense to return the token I receive in the server to the client with Set-cookie?
from authorizer.
bright-coder
commented on June 2, 2024
@mihaa1
In my project, i have
- Vue3 (Frontend)
- Backend (Golang API)
- Authorizer (without MFA)
- Frontend -> Authorizer
- My Frontend (Vue3) login direct to Authorizer and get Cookie (httpOnly with 365 days expire time) with json (access_token, ...etc) from response.
- Now I'm save access_token to store (Pinia).
*** access_token will only store in memory when u close browser or tab it will remove. (for security reason)
*** Cookie that get from login (It not remove) now use have to use
const res = await authorizerRef.getSession();
to get new access_token
- Backend -> Authorizer
- My Backend (Golang API) I create middleware with receive access_token from Frontend (Vue3) and send it to Authorizer to Verify token
1.1 Valid token -> do handler
1.2 Invalid -> return 401
from authorizer.
mihaa1
commented on June 2, 2024
@bright-coder thank u.
Which method do u use on the backend to check the token?
from authorizer.
bright-coder
commented on June 2, 2024
@lakhansamani Thank you. I think we should add this to document. ?
from authorizer.
lakhansamani
commented on June 2, 2024
Sure will add it thanks 👍
from authorizer.
mihaa1
commented on June 2, 2024
@lakhansamani Im using the following code to authenticate on the backend:
const user = await authorizerRef.getProfile({
Authorization: `Bearer ${authorization}`,
})
Is this the correct way?
from authorizer.
Related Issues (20)
- Paseto support
- Add support for totp scanning screen
- Add totp api support with signup & oauth
- Add UI to scan totp secret and enter totp
- Feat: libsql / Turso database support HOT 2
- Error message "unauthorized" in browser's console HOT 1
- Bug: After login default page coming before redirect on requested redirect_url
- Remove roles from all the users when a role is removed from env HOT 1
- "Forget password" is shown when magic link is on but basic auth is off HOT 5
- UI elements not responsive on mobile HOT 1
- Add support for mobile based forgot password in `forgot_password` resolver HOT 1
- RESET_PASSWORD_URL default not working and override also HOT 7
- client_id HOT 11
- dashboard chunks links are wrong
- Enhancement: TOTP Reset After Recovery Code Validation
- Customize super admin panel
- [Feature] Add support for Surreal DB
- basic_auth_signup doesn't trigger with social login
- Add Paswordless login with WebAuthN HOT 1
- Question about sessions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authorizer.