How to get a JWT?

by

JWT is a token format which is used in security protocols like OAuth2 and OpenID Connect.

How to get the token from the authorization server depends on the grant flow you are using.

There are 4 grant flows defined in OAuth 2.0 that are intended for different clients and uses.

  1. Authorization code grant

This grant is intended for web applications. The user’s browser is redirected (HTTP 302) to the authorization server. The authorization server takes care of authenticating the user (via username/password, smartcard, 2-factor auth whatever).

The authorization server then redirect the browser back to a preregistered endpoint in the web application with a code. The web application then uses it’s own credentials (client id and client secret) and the authorization code to request an access token from the authorization server.

The authorization server returns an access token and a refresh token to the web application. Note that the browser (untrusted) never sees the access token. Only the web application (trusted) has access to the access token and refresh token.

This grant is difficult to use from other clients than web applications as it’s based on HTTP redirection.

  1. Implicit grant

This grant is used for untrusted clients like JavaScript applications or 3rd party mobile clients (the ones you download from the app-store).

It also redirects a browser (or browser control) to the authorization server, but instead of returning a code to the browser after successful authentication, it returns an access token directly. Because the client is not trusted, the grant does not return a refresh token. The access token needs to be stored somewhere and is vulnerable to XSS attacks.

Even though you do not get a refresh token, some implementations do provide a way to get a new access token by communicating to the authorization server in a hidden IFRAME and using cookies to authenticate with the authorization server itself.

  1. Resource Owner Password Credentials grant

This grant is for trusted clients, for example a desktop application or a first party mobile app with secure storage capabilities. The client application asks the user (the resource owner) for their username/password and then sends this to the authorization server to acquire an access token and refresh token.

Once the client has the access token, it can discard the password as it can use the refresh tokens to get new access tokens. This makes it more secure than basic authentication.

This grant does not depend on browser redirects and can be easily used from any application that can execute HTTP requests.

  1. Client Credentials grant

This grant is meant to authenticate the client (application) instead of the user of the client.

In this case, the client submits its client id and secret directly to the authorization server to acquire an access and refresh token.

So basically the first two grants depend on browser-like capabilities (HTTP redirects, HTML login pages), where the other two grants only need an HTTP stack to communicate with the authorization server.

More Related Contents:

  1. What if JWT is stolen?
  2. What are the main differences between JWT and OAuth authentication?
  3. Single sign-on flow using JWT for cross domain authentication
  4. Google OAuth 2 authorization – Error: redirect_uri_mismatch
  5. JWT (JSON Web Token) automatic prolongation of expiration
  6. Authentication filter and servlet for login
  7. Where to store JWT in browser? How to protect against CSRF?
  8. How to secure MongoDB with username and password
  9. Error when connect to impala with JDBC under kerberos authrication
  10. How can I extend ServiceStack Authentication
  11. Socket.IO Authentication
  12. user authentication libraries for node.js?
  13. Forgot Password: what is the best method of implementing a forgot password function?
  14. How Spring Security Filter Chain works
  15. Authentication with 2 different tables
  16. How to use UrlFetchApp with credentials? Google Scripts
  17. CSRF Token necessary when using Stateless(= Sessionless) Authentication?
  18. IIS7: Setup Integrated Windows Authentication like in IIS6
  19. How to use Windows Active Directory Authentication and Identity Based Claims?
  20. In Subversion can I be a user other than my login name?
  21. Microservice Authentication strategy
  22. Best practices for server-side handling of JWT tokens [closed]
  23. Where can I find a list of OpenID Provider URLs? [closed]
  24. How to use Github Personal Access Token in Jenkins
  25. ASP.NET MVC 3 using Authentication
  26. Customize Authentication – Login Symfony2 Messages
  27. How to use Client Certificate Authentication in iOS App
  28. Trouble getting ClaimsPrincipal populated when using EasyAuth to authenticate against AAD on Azure App Service in a Asp.Net Core web app
  29. Web API 2, OWIN Authentication, SignOut doesn’t logout
  30. How can I use persisted cookies from a file using phantomjs

Leave a Comment