Exposed Rest Api - Jwt Auth- Persist values between OnAuthenticate and Action
Question

Hi to all,

I've developed a rest api that use a custom authentication that check the presence of a bearer token in the header of the request and if present validate the values included in payload.

I've action "VerifyToken" that read the jwt payload and extract a structure with some data inside, these data must be used to perform some security checks inside OnAuhtentication and others must be used inside the rest methods to perform logic action.

Now the flow is :

  1. The rest api receive request
  2. The OnAuthentication is triggered 
  3. An rest action that retrieve or edit the data 

In the points 2 & 3 i call VerifyToken, but since the structures returned are the same I find it pointless to call it twice


It's possibile to persist value from OnAuthentication and reuse it in the action methods? (I've also tried to use OnRequest trigger but unsuccessfully)


 BR,

Andrea

Hi Andrea! Did you find any solution for this?

Hi Diogo,

Unfortunately not, we have verified that the verification and token extraction process takes around 80ms, so for now we have left the double call on VerifyToken but we're still investigating on how we can improve this scenario. If i have news i'll update the original post.


mvp_badge
MVP

I would presume that the OnAuthentication and the action itself run in the same session, so could you use session variables?

For our customer portal we have also made a custom JWT authentication, and we only check the JWT in the actions itself, not using OnAuthentication. This means having to duplicate the checking code in every method, but at least the values inside the JWT are available then.

For you scenario, it seems that just removing the OnAuthentication solves your problem?

Hi Kilian,

in fact, removing the action onauthentication is one of the solutions we are evaluating, and probably we'll choose that.

Regarding the session variables, in my opionion they don't fit with the concept of Rest Api.

Thanks,

Andrea.

mvp_badge
MVP

A REST API is stateless, yes, but that's from call to call. If you use them to pass data from the OnAuthentication to the main method (provided that that works), it's still the same call so no need to be stateless. Since each method will run in a new session, there's no state in between calls.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.