Ghosttje Ghosttje - 3 months ago 35
Android Question

JWT: Authentication in slim v3 and Android

I am using Slim framework to return JSON to my Android device. I am currently working on login on my device. I am using 3 different ways to login: Facebook, Google and account login. When he takes account login he can register a new account or login with an existing one.

For security on my web service I thought to use JWT security. So I am reading and watching video's about how it works. I think I understand how it works, but I cannot find anything about how to implement it correctly.

The middleware I use for slim v3 is called: Slim-JWT-Auth.
I found the following link to implement this in my slim framework, and it works correctly I think.

Now my questions:


  1. How do I generate my Token?

  2. When do I generate my Token?

  3. Do I also need a Token when using Google or Facebook sign-in? because they already use a Auth2.0 token?



I understand how it works but nobody is talking about when and how to implement it. So when do I need to generate the token (on login on the webservice?), and do I need to generate a token after every start of the app, or do I just need to wait until the token expires?

Answer

How do I generate my Token?

Since the middleware already includes firebase/php-jwt library you can use it to generate the token.

$now = new DateTime();
$future = new DateTime("now +2 hours");
$server = $request->getServerParams();
$payload = [
    "iat" => $now->getTimeStamp(),
    "exp" => $future->getTimeStamp(),
    "sub" => $server["PHP_AUTH_USER"]
];

$secret = "supersecretkeyyoushouldnotcommittogithub";
$token = JWT::encode($payload, $secret, "HS256");

When do I generate my Token?

In your api you can for example include a password protected route which returns the token. All other routes except /token are JWT authenticated. Client can request token with every request or just always bit before the old one expires.

$app->add(new \Slim\Middleware\HttpBasicAuthentication([
    "path" => "/token",
    "users" => [
        "test" => "test"
    ]
]);

$app->add(new \Slim\Middleware\JwtAuthentication([
    "secret" => "supersecretkeyyoushouldnotcommittogithub"
    "rules" => [
        new RequestPathRule([
            "path" => "/",
            "passthrough" => ["/token"]
        ])
    ]
]);

$app->post("/token", function ($request, $response, $arguments) {

    $now = new DateTime();
    $future = new DateTime("now +2 hours");
    $server = $request->getServerParams();

    $payload = [
        "iat" => $now->getTimeStamp(),
        "exp" => $future->getTimeStamp(),
        "sub" => $server["PHP_AUTH_USER"],
    ];
    $secret = "supersecretkeyyoushouldnotcommittogithub";
    $token = JWT::encode($payload, $secret, "HS256");
    $data["status"] = "ok";
    $data["token"] = $token;

    return $response->withStatus(201)
        ->withHeader("Content-Type", "application/json")
        ->write(json_encode($data, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT));
});

Do I also need a Token when using Google or Facebook sign-in? because they already use a Auth2.0 token?

There is no clear answer to this. It "depends". You could for example authenticate your /token route with Facebook or Google and return your own JWT token from there.

There is an work in progress more detailed example implementation of everything above you might want to check.