Log in to AnswerLog in to Follow
2022-04-19 13-20-22
Andrea Lembo
50Views
5Comments
Exposed Rest Api - Jwt Auth- Persist values between OnAuthenticate and Action
Question
REST

Hi to all,

I've developed a rest api that use a custom authentication that check the presence of a bearer token in the header of the request and if present validate the values included in payload.

I've action "VerifyToken" that read the jwt payload and extract a structure with some data inside, these data must be used to perform some security checks inside OnAuhtentication and others must be used inside the rest methods to perform logic action.

Now the flow is :

  1. The rest api receive request
  2. The OnAuthentication is triggered 
  3. An rest action that retrieve or edit the data 

In the points 2 & 3 i call VerifyToken, but since the structures returned are the same I find it pointless to call it twice


It's possibile to persist value from OnAuthentication and reuse it in the action methods? (I've also tried to use OnRequest trigger but unsuccessfully)


 BR,

Andrea

1
0
10 Nov 2021

Hi Andrea! Did you find any solution for this?

0
0
18 Mar 2022

Hi Diogo,

Unfortunately not, we have verified that the verification and token extraction process takes around 80ms, so for now we have left the double call on VerifyToken but we're still investigating on how we can improve this scenario. If i have news i'll update the original post.


1
0
18 Mar 2022
2020-09-15 13-07-23
Kilian Hekhuis
mvp_badge
MVP

I would presume that the OnAuthentication and the action itself run in the same session, so could you use session variables?

For our customer portal we have also made a custom JWT authentication, and we only check the JWT in the actions itself, not using OnAuthentication. This means having to duplicate the checking code in every method, but at least the values inside the JWT are available then.

For you scenario, it seems that just removing the OnAuthentication solves your problem?

1
0
18 Mar 2022

Replying to Kilian Hekhuis' comment on 18 Mar 2022 15:05:44

Hi Kilian,

in fact, removing the action onauthentication is one of the solutions we are evaluating, and probably we'll choose that.

Regarding the session variables, in my opionion they don't fit with the concept of Rest Api.

Thanks,

Andrea.

0
0
18 Mar 2022
2020-09-15 13-07-23
Kilian Hekhuis
mvp_badge
MVP

Replying to Andrea Lembo's comment on 18 Mar 2022 15:14:29

A REST API is stateless, yes, but that's from call to call. If you use them to pass data from the OnAuthentication to the main method (provided that that works), it's still the same call so no need to be stateless. Since each method will run in a new session, there's no state in between calls.

0
0
18 Mar 2022
Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.