I need to generate new JWT AUTH token for third party app to allow access to the routes in REST api.How should i generate a new AUTH token along with TIMEOUT option in NodeJs working with mongodb dynamically?
Hey there, I am not sure I follow 100%. Can you clarify some things? It sounds like you have your own RESTful API that requires a JWT access_token. When your users go to a 3rd party application they want to be able to get an access token for your RESTful API.
- Are these assumptions correct?
- Is the access token supposed to be issued on behalf of a user delegating access to the client or is this client trying to get an access token for itself?
- What type of client are these 3rd party applications (regular web application, non-interactive client, spa, native)?
- Can you clarify this a bit more
How should i generate a new AUTH token along with TIMEOUT option in NodeJs working with mongodb dynamically?
When getting an access token for a resource server/API you would model the API in auth0. The API would allow you to specify how long the JWT is valid for using the Token Expiration (Seconds)
field.
1.Are these assumptions correct?
Yes
2.Is the access token supposed to be issued on behalf of a user delegating access to the client or is this client trying to get an access token for itself?
client trying to get access token so that he can use it to make POST request using a third party webhooks service provided by IFTTT
3.What type of client are these 3rd party applications (regular web application, non-interactive client, spa, native)?
IFTTT Webhooks Service
4.Can you clarify this a bit more How should i generate a new AUTH token along with TIMEOUT option in NodeJs working with mongodb dynamically?
I am able to get the access token for login, but i want to generate one more token for IFTTT Webhooks POST request route.Should i need the client details such as username and password for generating a new Token or is there anyway of getting new token with the user logged in?
@fsam6177 I am still not sure if the token should be tied to a user in your system, but I can answer it both ways just in case.
Token For a User
If the 3rd party application needs the users token and not a token for itself then when the user logs in you can use the audience
parameter when calling authorize. The audience would be the unique identifier for the API you want to call. As part of the authorize call you can specify which scopes you want to acquire for that token as well. Once your application logs in the user you will receive an access_token that is also a JWT. This token can be used to call the API. Because this token was requested on behalf of a user the sub
claim will be the user’s id.
A Quick Word on Privacy
You mentioned this was a 3rd party application. Whenever you are working with 3rd party applications and issuing tokens to a user you really need to prompt the user with consent. Much like google does when you login with google to other 3rd party sites it asks the user if it is ok to share this data with the 3rd party site. In the answer for user specific tokens you need to take care when delegating tokens from a first party client to a 3rd party client. I would not share tokens between those two clients. Instead I would make sure the user is authenticating with a 3rd party client to get the access token.
Machine to Machine Authentication
It might be true that this webhook API doesn’t actually need a user’s token. It just needs to call your API with a user token. If this is the case the 3rd party app/api could be setup as a non-interactive client and using the client credentials flow the machine could get a token of its own. In this flow the sub
claim (subject) of the token will be the client_id and no user will be in the token.