Closed lihop closed 6 years ago
chatsap
commented
6 years ago Same here. We have stateless rest services where there is no cookie coming from browser. JWT token will be expected to come in Authorization header. Is there any reason why it was removed?
fitzyjoe
commented
6 years ago I removed it because one of the applications on my site was using the authorization header and when I enforced the equality to the cookie, I broke their app. It’s nice to see that others are using this module (I didn’t really know), so I’ll look into making using the auth header (vs cookie) a parameter.
chatsap
commented
6 years ago Thanks @fitzyjoe . Suggestion: Instead of removing, introducing a config parameter may help. Same for cookie. Many services in today's world are stateless.
fitzyjoe
commented
6 years ago I put the authorization header functionality back like this. By default if you enable this module, it will look in the authorization header. You could also specify this explicitly with the conf directive:
auth_jwt_validation_type AUTHORIZATION;
But if you prefer to pass your JWTs in a cookie, you can use this directive
auth_jwt_validation_type COOKIE=yourcookiename;
In our project we submit the JWT in the Authorization header in the format: 'Bearer \<token>'. We do not use any cookies.
We would like to use your module in our project, but I see that in e42d2a0 you removed the Authorization header check. Do you have any plans to support getting the token from the Authorization header or would you accept a pull request which adds this feature?