Using a JWT for a web service after logging in (login twice?)
-
07-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
Good day everybody, My capstone project partners are stumped with a logic question that has to do with JWT, MVC & web services.
We have already built a web app with a signup/signin feature using a MVC framework, but for our capstone we need to securely access data from a web service (we have not builded yet). We considered about using jwt (JSON Web Tokens), but most of the examples we see require a login, one that interacts with the web service, which compares login info against service's data base.
With this theorem and flow, a user would need to login to our mvc app (that already has a data base all set up), then within the mvc app after logging in, send another login/register request to the web service (that has no connection to d.b) in order to establish a JWT.
To us this seems like much to work.
Is there a other way to communicate between a mvc app (uses a d.b to login already), with a service web? Could the service store user keys some way?
Thanks very much!! We are not native to English, please forgive our misspellings!
解决方案
You are missing the point of JWT. Logging in is the process of confirming someone's identity (i.e. authentication). Once you've confirmed the identity, you generate the JWT with all the user's needed information (like roles, etc.). That JWT is then signed so that you know it is valid.
The browser needs to present the JWT as a bearer token, and the web service being called validates the token and retrieve's any user information needed from that token. (HTTP Header Authorization: Bearer {actual token content}).
The bottom line is that the user signs in one time, and the decisions of what the user can and cannot due is derived from information in that token (i.e. authorization).
It is an excellent means of minimizing network traffic in a microservice based application, and avoid sending username/password combinations all over the place.
And yes, there are libraries to make efficient use of JWTs with MVC apps.
