/v1/verify/{app}/{id}

[nirmalchief]

Hi Phaneesh,

/v1/verify/{app}/{id} api always ask for X-Auth-Token,app, id and body for verifying the token. Is it possible to verify the token only by passing the X-Auth-Token,app, id making body as optional.As of now body is also mandatory .

Please suggest?

[phaneesh]

@nirmalchief This is intentional to transfer user details more securely. This is a normal pattern even in form post based authentication where sensitive attributes are transferred over the wire in POST body. Also, making optional does not make sense since you are using the information in the ServiceUser to authorize (role based). I am curious; why it needs to be optional ? Any particular reason you do not need role based authorization ?

[nirmalchief]

For below use case : For example: lets say user send a request for my application service with JWT by setting it in cookie. At server side I have an interceptor where I want to authenticate this request and then authorise. To do authentication, I need to verify that the JWT token came along with the request is valid or not. So I called this verify api and pass app,id along with X-Auth-Token to verify this. If it is valid token then I read the payload from token and verify the group info with my configured access list and provide the authorization.

Please help me to understand where I need details which are there in body ? And if I have to, how can i get the group info without validating the token to pass into verify api(since group info is there in the body)?

Please correct me if the above approach is good.

[phaneesh]

@nirmalchief For any user to send a JWT token; you should have issued a token to that user. JWT is a stateless token. The token itself will have enough information to perform role based authorization. Please look at primer-bundle (a Dropwizard bundle for primer on how a client can be implemented). The /verify call is a implicit call to primer from primer client which will make sure that the token is not forged/hijacked.