Pass JWT via URL param, not in the Authorization header - Githubissues

AnthonyDeroche / mod_authnz_jwt

An authentication module for Apache httpd using JSON Web Tokens

Other

79 stars 46 forks source link

Pass JWT via URL param, not in the Authorization header #45

Closed Voldemar123 closed 3 years ago

Voldemar123 commented 3 years ago

Hello !

It have sense to add the possibility to provide the JWT via URL param ?

I want to generate and open in browser links type of https://site.com/secured/?token=xxxxxx

where is "token" param is JWT and grant an access exists user to site

thank you !

AnthonyDeroche commented 3 years ago

Hey,

It is technically possible but it might be a real concern regarding security.

I recommend that token must have a short life (using exp), and be a one-time usage token. An anti-replay system using the jti field must also be considered.

A token in the URL means also that it will be logged by the web server and it might be limited by the maximum length of an URL.

Well, it needs to be discussed...

Anthony

Voldemar123 commented 3 years ago

Lets postpone my question about pass token as param in URL.

I absolutely agree with your concerns about

short life time for this type tokens
URL length limitation
store tokens in the log files (or even by web crawlers)

Wright now I implemented solution with pass token in cookie and it work perfect for my tasks.

Thank you very match !

AnthonyDeroche commented 3 years ago

Happy that the "cookie" feature does the job for you. I close the question for now.