JWT + Laravel Socialite with OAuth Parameters

0
votes

What I want to achieve:

Safely allow users to connect their accounts to different social medias using a Single Page Application.

What I am doing:

I am using an SPA and therefor utilizing JWT as my user authentication method. I am passing the JWT token in the OAuth call with Laravel Socialite like this:

return Socialite::driver($provider)
    ->with(['provider' => $provider, 'token' => $token])
    ->redirectUrl($redirectUri)
    ->stateless()
    ->redirect();

On the callback I get the user based on the token. Using this method allows the third party provider to get access to the JWT token. Which is very unsafe.

My Question(s):

Is there any better way to do this? Should I use some kind of hash + salt + secret?

1
laraveloauthjwt
What is the payload of your JWT token? Wondering why you have issued the JWT token before authenticating social medias account. - Ben
The token is issued when the user logs in to the site. The user can, whilst logged in, choose to connect his account to different providers. The payload is pretty standard JWT I guess. I am not sure what you mean. - Fredrik
but, the reason why you pass the JWT token to third party provider ? - Ben
How else could I know which user to connect the provider with in the callback? - Fredrik

1 Answers

1
votes

You should check the JWT.

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

JWT Token composes of three parts, header, payload and verify signature.

You are using stateless authentication and the only way to authenticate the user is by the JWT Token. To authenticate the user after redirect, you should create a payload containing application's user id, and pass to the third party provider, so that when redirect, they will pass the JWT token back to you.

It is no problem to pass the JWT Token to third party provider, but be aware that the payload should not contain any sensitive data. If the payload is somehow sniffed, it will not have any harm because, if hacker is trying to change the payload, the verify signature helps and the application cannot verify the token and the application will throw exception.

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.