Uses non-recommended authentication scheme
See original GitHub issuepassport-jwt’s ExtractJwt.fromAuthHeader()
uses the following http header:
Authorization: JWT JSON_WEB_TOKEN_STRING.....
But RFC 6750 clearly specifies that access token based authentication must use Bearer
as the authentication token. The non-recommended scheme specification would lead to conflicts.
Issue Analytics
- State:
- Created 7 years ago
- Reactions:6
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Uses non-recommended authentication scheme #87 - GitHub
Technically speaking, JWT is the "custom auth scheme", while Bearer is the standards compliant scheme required by the JWT specification itself ...
Read more >Developers - Uses non-recommended authentication scheme -
Uses non-recommended authentication scheme. ... fromAuthHeader() uses the following http header: Authorization: JWT JSON_WEB_TOKEN_STRING.
Read more >Microsoft Security Bulletin MS00-035 - Critical
When run on a machine that is configured in a non-recommended mode, ... In Mixed Mode, clients are authenticated using Windows NT ...
Read more >What is SSO? - Single sign-on - AWS
Single sign-on (SSO ) is an authentication solution that allows users to log in to multiple applications and websites with one-time user authentication....
Read more >Security Guidelines for UICC Profiles Version 1.0 12 June 2020
The AKA scheme is based on a sequence number to allow the (e)UICC to authenticate the network. AKA uses either a time based...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
For the sake of completeness, the code for the rfc6750 variant goes like this:
use this with the example provided in https://github.com/themikenicholson/passport-jwt#configure-strategy.
Thanks @themikenicholson for putting this together! 🍾
@JemiloII Authorization headers typically contain an authentication scheme along with the token or auth parameter. I think it was RFC 2617. I’m going to stick with the RFC compliant behavior.
If you don’t like the standard behavior you can write your own extractor function.