The TsgcHTTP_JWT_Server component allows to decode and validate JWT tokens received in WebSocket Handshake when using WebSocket protocol or as HTTP Header when using HTTP protocol.
You can configure the following properties in the JWTOptions property of the component:
If the Signature is validated using a Public Key (RS and ES algorithms), set the value in the PublicKey property of the Algorithm.
If the Signature is validated using a Secret (HS algorithms), set the value in the Secret property of the Algorithm.
To validate JWT tokens, just attach a TsgcHTTP_JWT_Server instance to Authentication.JWT.JWT property of the WebSocket/HTTP Server.
oServer := TsgcWebSocketHTTPServer.Create(nil);
oServer.Port := 80;
oJWT := TsgcHTTP_JWT_Server.Create(nil);
oJWT.JWTOptions.Algorithms.RS.PublicKey.Text := 'public key here';
oServer.Authorization.Enabled := True;
oServer.Authorization.JWT.JWT := oJWT;
oServer.Active := True;Checks property allows to enable some checks in the Payload of JWT, by default checks if the issued dates are valid.
Use the following events to control the flow of JWT Validating Token.
OnJWTBeforeRequest
The event is called when a new HTTP / WebSocket connection is detected and before any validation is done. This connection can contain or not a JWT Token.
If you don't want to process this Connection using JWT Validation, just set the Cancel parameter to True (means that this connection will bypass JWT validations).
By default, all connections continue the process of JWT validation.
OnJWTBeforeValidateToken
The event is called when the connection contains an Authorization token and before is validated.
If you don't want to validate this token, just set the Cancel parameter to True (means that this connection will bypass JWT validations).
By default, all connections continue the process of JWT validation.
OnJWTBeforeValidateSignature
This event is called after the token has been decoded, so using Header and Payload parameters you have access to the content of JWT and before the signature is validated.
The parameter Secret is the secret that will be used to validate the signature and uses the PublicKey or Secret of the JWTOptions property. If this Token must be validated with another secret, the new value can be set to Secret parameter.
By default, all signatures are validated
OnJWTAfterValidateToken
The event is called after the signature has been validated, the parameter Valid shows if the signature is correct or not. If it's not correct the connection will be closed, otherwise the connection will continue.
You can access to the content of Header and Payload of JWT using the arguments provided.
If there is any error validating the JWT, will be informed in the Error argument.
OnJWTException
If there is any exception while processing the JWT Decoding and Validation, this event will be called with the content of error.
OnJWTUnauthorized
This event is called before the connection is closed because there is no authorization token or is invalid, by default, the Disconnect parameter is true, you can set to false if you still want to accept the connection. This event can configure which endpoints must implement JWT Authorization or not.
The error "Access to XmlHttpRequest at X from origin X has been blocked X by CORS policy: Response to preflight request doesn't pass access control check" means the Web-browser is trying to send a Preflight request but the request is not authorized by your server. To allow do a Preflight request, check if the request is CORS and if true don't disconnect it, find below an example:
procedure OnJWTUnauthorized(Sender: TObject; aConnection: TsgcWSConnection; var Disconnect: Boolean);
begin
if IsCorsHeader(TsgcWSConnectionServer(aConnection).HeadersRequest) then
Disconnect := False
else
Disconnect := True;
end;
OnJWTResponseError
This event is called before the response error is sent to the client, allows customizing the Response Code, Text and Headers of the HTTP response. By default the Response Code Error is "401" and the Response Text is "Unauthorized".