How does server return JWT token to the client?

19
votes

This is my first encounter with a JWT token and I'd like to know how is this token returned to the client after it's first created.

Should it come in the Authorization : Bearer header ?

Usually, it's the client that passes the token in Authorization : Bearer header on each request.
I'd like to know how does the server pass this token to the client after user has authenticated and the token gets created. Also in the same header? In a different header?

In my situation, the server will be generating the token not as a response but as part of the request.

For example:-

A user will login to a portal, then click on a link to an authorized application. The JWT containing user claims will be passed to the authorized application as part of the request.
What is the best approach here? GET or POST? Header (which)? Query string? POST body? Thank you!

3
javaauthenticationoauth-2.0http-headersjwt

3 Answers

17
votes

there is no standard for how to return JWT token to the client, however, check this URL, it answers your question

https://github.com/dwyl/hapi-auth-jwt2/issues/82#issuecomment-129873082

putting the JWT token in the Authorization header gives us flexibility to send an actual response in a web application. For a REST-only App/API you are free to send the JWT as the response body or a cookie. What matters is how the client stores the JWT and sends it back to the Server, which is done in the Authorization header (or Cookie or URL Token if you prefer) šŸ‘

As for this existing in the "wild", I have not seen an example of the server sending an Authorisation header to the client, but there is nothing in the spec to suggest this is an anti-pattern. see: http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html

If you want to stick to the guidelines you would do follow this example: http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#ExAccTokResp

1
votes

One may be interested to know that the OAuth 2.0 standard specifies the response body for that purpose:

5.1. Successful Response

The authorization server issues an access token and optional refresh token, and constructs the response by adding the following parameters to the entity-body of the HTTP response with a 200 (OK) status code:

access_token
REQUIRED. The access token issued by the authorization server.
[...]

0
votes

Also, there is another strategy when you can put token in the url. On the server side you can add the token after the url in case you have redirection from some security service. For example:

http://[my-app]/index.html?access_token=sadmopwmopmdmvsasom....

And then in js you can get it like this:

let url = new URL(window.location);
let accessToken = url.searchParams.get("access_token");

But, keep in mind that this method can't be considered as safe.