/blog/2015/04/how-to-add-jwt-authentication-to-a-cakephp-3-rest-api/

[bravo-kernel]

How to add JWT Authentication to a CakePHP 3 REST API

https://www.bravo-kernel.com/blog/2015/04/how-to-add-jwt-authentication-to-a-cakephp-3-rest-api/

[bravo-kernel]

Saleh Souzanchi [DISQUS]: thank for this post, very Perfect

[bravo-kernel]

Bayezid Alam [DISQUS]: So helpful, Thanks a lot, waiting for more :-)

[bravo-kernel]

André Teixeira [DISQUS]: Bravo! ;)

[bravo-kernel]

Massimo Frascati [DISQUS]: Hi, thanks a lot for the tutorial, it's really great! :)
I'm trying to get the user information after the token has been verified, I suppose the function getUser() is the right place to go, but cannot manage how to access the function from $this->Auth! Any help?

[bravo-kernel]

Bravo Kernel [DISQUS]: "Getting user info would be the same as using any other authenticator". Simply put your wish is not JWT related so please check the CakePHP documentation on Authentication (http://book.cakephp.org/3.0/en/controllers/components/authentication.html) or ask for help in the channel.

[bravo-kernel]

Kevin Wong [DISQUS]: Hi Bravo, firstly i'd like to say thank you very much for this 4 part series tutorial, most importantly because it really WORKS, and secondly it really helped to build a basic framework much needed by most real world applications. It really takes away the complexity from most basic framework requirements (REST and Authentication) and allows us to focus more quickly on actual business requirements and logic.

I have followed this tutorial and managed to get things working using CakePHP 3, Postman, and the CRUD and JWT plugins you recommended. This has become my server-side API. On the client side I am building a PhoneGAP application that sends REST requests.

My question has to do with my next step in my application development, how can I integrate social login into my application?

I suppose this question spans both the PhoneGap application I am building and also the Server side API / application that I have built based on your tutorial. A specific platform answer (e.g. phonegap and cakephp) would be great, otherwise, if you could help put me in the right direction, or share some words of wisdom, I (as well as others) would really appreciate it. I'm relatively new to the world of authentication so I am not sure where to go.

Some specific points of confusion:
PhoneGAP has an oAuth plugin, but i'm not sure if this is what I need.
Also i'm not sure how and where any specific plugins I use can integrate with the existing JWT plugin used on the CakePHP that I have set up using your tutorial.

[bravo-kernel]

Bravo Kernel [DISQUS]: Thank you kindly Mr. Wong, CakePHP 3 indeed makes a great API for PhoneGap applications. For help with OAuth please visit the #cakephp channel. You might also consider visiting https://github.com/FriendsOfCake/awesome-cakephp which contains a list of well known plugins.

[bravo-kernel]

lukas strassel [DISQUS]: Hello there, thanks for this tutorial! I've some question on the security of this approach... I think I didn't understand how this encryption works :/ What makes this application secure against someone capturing the package and simply use Bearer {YOUR-JWT-TOKEN} to send any message he/she wants to?
Regards,
Lukas

[bravo-kernel]

ADmad [DISQUS]: Nothing. Which is why the article mentions at the top "please remember to use SSL/TLS encrypted connections for ALL API traffic to prevent man in the middle attackers from seeing and stealing the tokens"

[bravo-kernel]

Sam Bown [DISQUS]: Well SSL/TLS ain't safe after-all. Heartbleed attack could take its toll on all of us :) At least Cakephp has a secure Input validation. As the Web progresses, security is undermined. I guess that's the nature of the web :)

[bravo-kernel]

Diego Carrera [DISQUS]: Hello Bravo, thanks for the awesome tutorial, just one question.
After storing the token in the application, how can the application test the validity of the token, let's say after a few days, so I can redirect to a login screen?

[bravo-kernel]

Bravo Kernel [DISQUS]: There is no need to (pre)check token validity on the (client) application. Just send the token to the API, valid or not. The API will return an 'expired' response for expired tokens (419) which your application should recognize, triggering the login screen.

[bravo-kernel]

Diego Carrera [DISQUS]: All right thanks a bunch!

[bravo-kernel]

Sam Bown [DISQUS]: This Tutorial is by far the best REST API Tutorial as far as CakePHP is concerned. Just awesome.

[bravo-kernel]

Sam Bown [DISQUS]: Love this tutorial. I am confused in this section though.
4. Updating The Prefix Route
it says "Make sure to update the api prefix route in config/bootstrap.php to resemble:"
shouldn't it be config/routes.php ?
Many thanks. BTW Cakephp 3 is Simply Awesome.

[bravo-kernel]

Bravo Kernel [DISQUS]: Well spotted, updated the post to use 'routes.php'

[bravo-kernel]

Curtis Gibby [DISQUS]: Great tutorial. I never would have gotten through the process of adding JWT to my application without it.

One bit of feedback: in the "/token action" section, wouldn't it make sense to add an "expiration_time" to the response data, so that token consumers can know when they'll have to come back for a fresh token? Or is the "now + 604800 seconds" pretty standard for JWT authorization?

[bravo-kernel]

Bravo Kernel [DISQUS]: That information is already in the token. Take a good look at the jwt.io Debugger screenshot. You will see the exp claim shows the actual token expiration date in epoch format (calculated using 604800 as offset when the token was generated). Feel free to change the 604800 to meet your needs. Same goes for the response data, extend as you please.

[bravo-kernel]

Curtis Gibby [DISQUS]: I know that *I*, as the token provider, can read the expiration claim
out of the generated token, because I have the secret. But a token
consumer wouldn't be able to decrypt it without that secret, right? Or do I misunderstand how token decryption works?

[bravo-kernel]

Bravo Kernel [DISQUS]: Aha, I see what you mean now and believe that you are correct. In that context, yes, you could add it to the response body to show your users, I just don't see the use-case for it.

[bravo-kernel]

Bravo Kernel [DISQUS]: Had to check myself here... just pasting the token (without the secret) gives me the timestamp so application-side should be able to figure that out as well. It's already in the token.

[bravo-kernel]

Franck Demongin [DISQUS]: You ask the question a long time ago...
the part one and two of the token (header and payload) are encoded in base64. In Javascript you can access them with atob().

[bravo-kernel]

Jack [DISQUS]: Thank you so much for writing this tutorial. It is extremely helpful in my development. I have a question, if I wanted to use 'email' rather than 'username' to check the db, how would I modify the app? I'm using an already existing database that uses 'email' instead of 'username' for the users credentials? Also, the database uses 'pin' instead of 'password', how could I modify the structure to accommodate for the changes in database structure? Thanks again!

[bravo-kernel]

Bravo Kernel [DISQUS]: Just specify the username and password fields you want to use for FormAuthenticate. https://gist.github.com/bravo-kernel/b7397f35fae4e61e7be0#file-appcontroller-php-L9. Please note that you MUST always specify both fields.

[bravo-kernel]

Jack [DISQUS]: Thank you so much for the quick reply! I hate to bother, but my existing table is 'contacts' instead of 'users'. Is it possible to modify the AppController or routes to reflect this difference in structure? Love the work you have put into this.

EDIT: figured it out...You have to edit your BaseAuthenticate.php file (typically located at: vendor/cakephp/cakephp/src/Auth/BaseAuthenticate.php) and update the $_defaultConfig 'userModel' element to the correct table you are using (if NOT Users).

[bravo-kernel]

Chris Malpass [DISQUS]: This is a really great tutorial. I have done everything as shown, but am unable to use GET with the Authorization header to retrieve data. I am, however, able to use the _token parameter in the URL. I have tried all of the suggested formatting for the header Authorization: Bearer TOKEN_GOES_HERE in both raw and form based rest clients. I can't seem to get the header based token submission to work. Any ideas about what I've done wrong?

[bravo-kernel]

Ravi S. Singh [DISQUS]: Thanks really saved my time.. :)

[bravo-kernel]

Mark Hanford [DISQUS]: Oh my god - this stopped me tearing my hair out :) Thank you!

[bravo-kernel]

Terry [DISQUS]: Life saver!!!

[bravo-kernel]

Jérôme Lafforgue [DISQUS]: Thank you so much too !!! :)

[bravo-kernel]

Bikash Chhualsingh [DISQUS]: Sorry to say, but this didn't work in my case.

But this worked for me: SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

[bravo-kernel]

Monsur Hoq [DISQUS]: In my case:

• not worked: Router::connect('/api/users/register', ['controller' => 'Users', 'action' => 'add', 'prefix' => 'api'])
• workedRouter::connect('/users/register', ['controller' => 'Users', 'action' => 'add', 'prefix' => 'api']);

[bravo-kernel]

Pim Brouwers [DISQUS]: Honestly, what an amazing tutorial series. Can't emphasize this enough. Thank you hundred times. Just wanted to shut out to anyone taking this, finding that the Auth component returns false for each "identify()" call. MAKE SURE your database column which stores the password is long enough, ie: varchar(255) -- cake will throw no errors indicating that this is a problem if it isn't sufficient in length and ALL of your subsequent authorization attempts with the correct password will fail.

[bravo-kernel]

avinashjoshi [DISQUS]: Can you guide us to using or generating a refresh token and using that to generate a new access token & keep a user authenticated?

[bravo-kernel]

Bravo Kernel [DISQUS]: Simply call the /token action from within your app to get a new jwt token. Then use the new token for new requests. The user will stay authenticated.

[bravo-kernel]

Kasper Wintiz [DISQUS]: hi can you provide further details?

What you've stated is not what access token, and refresh tokens are used for.

[bravo-kernel]

AbdelMonnem BEN HAJ DAHMEN [DISQUS]: Still looking for an answer to the same question. Any help please.

[bravo-kernel]

Bravo Kernel [DISQUS]: I needed to read up on this but mr. @kasperwintiz:disqus is right; this article explains the difference between access tokens and refresh tokens quite well IMO: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/. As this seems not related to the jwt-plugin this would require custom application logic. E.g. a controller function accepting some sort of secret key that would (assuming a correct key was given) generate a jwt-token for that user without requiring username/password. The response containing the new jwt-token could then be used by the client for further requests.

[bravo-kernel]

Anupal [DISQUS]: If i use it along Acl Plugin, does it need any changes in Api/AppController ??

Error: DbAcl::check() - Failed ACO node lookup in permissions check ...

[bravo-kernel]

Lennard [DISQUS]: How would i only find results that belong to the user, e.g. my cocktails table has a column called account. I want to match the account of the user to the account of the cocktail?

[bravo-kernel]

Jonathan Lafleur [DISQUS]: Hi, I just ran into an issue with Apache stripping away Authorization header, you need to define a new header while enabling JWT (5. Enabling JWT Authentication, line 38)

'ADmad/JwtAuth.Jwt' => [  
    'header' => 'Authtoken'  
...  
]

Then you can trigger with that new header instead of Authorization

[bravo-kernel]

Pramila Manandhar [DISQUS]: Hi, how can i change the json response for expired token??

[bravo-kernel]

Karthikeyan Raju [DISQUS]: Hi,

did you found solution for this?

[bravo-kernel]

Borhan Safa [DISQUS]: I have been following this tutorial from the beginning, everything was working fine but I am getting the following error on 'Verify Token Request' section. Now I am stuck and could not move further.

SQLSTATE[42S22]: Column not found: 1054 Unknown column 'Users.active' in 'where clause' PDOException...  

Looking for help from anyone.
Thanks in advanced.

[bravo-kernel]

Prabhat Bhardwaj [DISQUS]: when i use wrong token it should say invalid token but it says

{  
  "message": "Wrong number of segments",  
  "url": "/api/users/working.json",  
  "code": 500,  
  "file": "/opt/lampp/htdocs/cake_seed/vendor/firebase/php-jwt/src/JWT.php",  
  "line": 78  
}

How can i fix it

[bravo-kernel]

Bravo Kernel [DISQUS]: Without defining "wrong token" this will be impossible to pinpoint exactly. Please refer to the CakePHP slack channel if you need further assistance.

[bravo-kernel]

jose caceres [DISQUS]: Hello, thanks for the tutorial, one question. How can I get the ID of the user that has been authorized in the action? For example I need to log the user that executed a particular action

[bravo-kernel]

Anuj Sharma [DISQUS]: How can I store the Token to database? Also a tutorial on generating token secret just like other services will be appreciable for new users.

In my application, I want user to be able to create App and generate access token for that app.

[bravo-kernel]

arun saini [DISQUS]: Hi Bravo, Thank you for this post. I have some different requirement. I need to save registration data in two different tables. Also need to create one more field in users table and other details in profiles table. how can I save data in both the tables with validation on both table fields. Thanks.

[bravo-kernel]

Alomgir Hossen [DISQUS]: Thanks for this JWT post.

[bravo-kernel]

Alomgir Hossen [DISQUS]: Thanks Bro,

[bravo-kernel]

Gustavo Gonçalves [DISQUS]: Why JWT-Auth breaks unauthorizedRedirect? (For JWT-Auth to work, i need to set unauthorizedRedirect = false, but my application is a 'common' Cakephp3, using unauthorizedRedirect if user is not authenticated).
(common, i mean, not angular or another type of application. i'll use JWT-auth just for mobile app).
How do i use JWT-auth with this option enabled, for Web navigation?

[bravo-kernel]

Nate T Schreiner [DISQUS]: I know this tutorial is old but I hope I can still get a reply. I'm following along with the code and I don't see any use of the ADmad/cakephp-jwt-auth repository? The only specific command I'm seeing is this `JWT::encode()` function call but that does not come from the repository I linked in this comment. Is ADmad/cakephp-jwt-auth neccasry for this demo and if so where and what function does it play?

[bravo-kernel]

Bravo Kernel [DISQUS]: Yes, ADmad/cakephp-jwt-auth is required for this demo and is responsible for "handling" the tokens. The encoding etc. is done the firebase/php-jwt lib.

[bravo-kernel]

MAURO DA SILVA ALEXANDRE [DISQUS]: 6y old content, but helped me a lot nowadays

[rkhe]

Hi,

I tried to implement this tutorial using CakePHP 4 and found something strange.
When Verifying JWT Auth on step 5, we need to override the CRUD's function on each Controller for it to work, meaning it will throw a 401 unauthorized.

Example:

1. UserController has add() override action only.
2. So, only when requesting to add() endpoint will throw a "You are not authorized to access that location.". Other action will just work without Authentication token passed.

Specs:

• CakePHP 4.4
• friendsofcake/crud 6.1
• admad/cakephp-jwt-auth 3.0
• using CakePHP Development Server

I know the title says it's for CakePHP 3.
Since both friendsofcake/crud and admad/cakephp-jwt-auth are both CakePHP 4 compatible. So why not, right? :)

[bravo-kernel]

Please ask for assistance in one of the CakePHP support channels https://book.cakephp.org/4/en/intro/where-to-get-help.html.