Validate JWT from token String


#1

Is it possible to validate JWT, just by passing the token string?

In my use case the token string is sent to the authentication service as a json string through an akka actor, there is no request header.


#2

Hi,

this is currently not possible. Maybe you can create a new request header as workaround.

Best regards,
Christian


#3

Is there a specific reason why is not possible?

It seems that the functionality is already in the library, the difference being the token, is not in the request header.

I want to keep the service lightweight, so it doesn’t make sense to create a Request Header if i don’t need one, and since I’m already using silhouette i didn’t want to use another library, or code my one, just to validate the JWT.

Is this something that could be included in silhouette?


#4

Hi,

Validation of the token and the creation of the authenticator itself is possible with the unserialize method. But the retrieve method, which is normally used to extract the token from the request, does a bit more if you use a statefull token. The retrieve method of the authenticator service extracts the authenticator from request, because this is the normal flow of the authentication process for a Play application. The new framework agnostic version of Silhouette takes another path here an makes this process more customizable.

Best regards,
Christian


#5

Ok, thanks for the quick replies.

I know that it does a little bit more, but surely there exists several use cases where “a little bit more” is not necessary, in my case I have the authentication service in a Play application, so what you say makes sense, but i have more services that use this service for authentication, and these services already have the token and communicate between them through an actors in an akka cluster. There is no requirement for a statefull token.

When u say “The new framework agnostic”, are u referring to version 5? And will this be possible in then?

I considered using, for example, “jwt-scala” or “authentikat-jwt” to work around this, but i would prefer to use silhouette.


#6

When I talk over the framework agnostic version I mean: https://github.com/minutemen/silhouette

It’s planned to release the Play bindings with the release of Play 3.0.

Best regards,
Christian


#7

Ok, but I’m still not clear if this will be possible or not.

To me it seems that the functionality is already there, just not accessible.

Thanks for you time anyway.
Regards,
Hugo


#8

As noted in one of my last answers, currently it’s possible to validate the token with the JWTAuthenticator.unserialize method. You can use this method instead of the JWTAuthenticatorService.retrieve method.

For the framework agnostic version of Silhouette we are currently in the planning phase of the authenticator refactoring. So with this version it’s currently not possible because this version is months away from a production release. I’ll consider your use case for the planning. Maybe we decouple the transport completely from the authenticator service.

Does this answer your question?

Best regards,
Christian


#9

Yes, thanks the help.

For now I will have a look at JWTAuthenticator.unserialize

King regards,
Hugo