Closed magimat closed 7 years ago
I ended up messing around with the code and implementing the cookie fallback myself. I just created a pull request for this.
I'm not really into C++, so my code is probably not that good, but it works pretty well for me at least.
Hi,
Thanks for your contribution. You effectively pointed out a missing feature, altough JWT RFC does not specify such a case. I will review your work asap before accepting to merge.
If you're concerned about security, you probably don't want to be sending a token as part of the query string. See this .
Thanks for the advice @JesseEstum. I'm concerned about security but the pull request is about using JWT in cookie so there is no data exposure in URL, but there are other known security issues.
I'm still thinking about the relevancy of this feature, because I don't want to wander off the RFC. Using cookie is out of scope although I perfectly understand the use case.
Hi, I won't accept your pull request in master, because using a cookie for JWT is not part of the RFC at all. However, you can still rebase your branch with master to update the code or fork the project. Regards
Hi,
I have a scenario where I can't send the token as a header (javascript window.location).
It would be great if the module coudl fallback to a token cookie or query param.
I tried using mod_rewrite add an Authorization RequestHeader from a query param, but it looks like it's too late, because the error log always shows "auth_jwt authn: missing Authorization header" even when I explicitely add the Authorization header with mod_rewrite.
Could you either natively support falling back to reading token from cookie and/or query param when header not present (a lot of other jwt handlers do that)
Or, give me some clue as to how to add a header using mod_rewrite so that your module can see it, maybe I am not doing it right. I tried putting in the virtualhost and inside directory, but neither seem to work :(
thanks!