fpJWT | Example

[cpalx]

Hello, Where can i find an example of using jwt for login

i just did this

  jwt:= TJWT.Create(TJWTClaims);
  try
    jwt.Claims.iss:= issuer;
    jwt.Claims.exp:= Now + EncodeTime(0, minutesToExpire, 0, 0)]);
    jwt.Claims.sub:= subject;
    jwt.JOSE.alg:= 'HS256';
    jwt.JOSE.typ:= ''JWT;
  finally 
....


i wiill use in a cgi

[PierceNg]

In HTTP, a JWT is transmitted in request header like this: "Authorization: Bearer <jwt>". The server uses that info to make security decisions.

How is the JWT issued to the HTTP client in the first place? By means of some authentication mechanism.

What authentication mechanism? Depends on client. Different for human driving web browser that is running an SPA and automated client making REST calls, as examples.

Code: [Select]

  jwt:= TJWT.Create(TJWTClaims);
  try
    jwt.Claims.iss:= issuer;
    jwt.Claims.exp:= Now + EncodeTime(0, minutesToExpire, 0, 0)]);
    jwt.Claims.sub:= subject;
    jwt.JOSE.alg:= 'HS256';
    jwt.JOSE.typ:= ''JWT;
  finally 
....
i wiill use in a cgi

It should be an authentication component that issues the JWT. I assume your CGI program will consume the JWT.
How does the client of your CGI handle issuance and use of the JWT?

Some useful reading:

- https://blog.paolorossi.net/jwt-authentication-with-delphi-part-1/
- https://blog.logrocket.com/jwt-authentication-best-practices/
- https://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf

[AlexTP]

I stored this useful answer to Wiki, https://wiki.freepascal.org/fpJWT

[cpalx]

But, how to return the value of JWT?

something

[PierceNg]

But, how to return the value of JWT?

something

Why don't you describe how you envisage using JWT in your setup.

[paweld]

@cpalx: What version of FPC do you have? 

In FPC 3.2.2 there is no signature generation yet - so you must either use the component: https://github.com/andre-djsystem/LazJWT, or use fpjwt to generate JOSE and Claims and using https://github.com/Xor-el/HashLib4Pascal generate a signature, e.g.

Code: Pascal  [Select][+][-]

1. uses
2.   fpjwt, HlpIHashInfo, HlpConverters, HlpHashFactory, DateUtils, Base64;
3.  
4. procedure TForm1.FormCreate(Sender: TObject);
5. begin
6.   ShowMessage(GenJwt('xxx', 'yyy', 'password', 60));
7. end;
8.  
9. function TForm1.GenJwt(issuer, subject, secret_key: String; minutesToExpire: Integer): String;
10. var
11.   jwt: TJWT;
12.   LHMAC: IHMAC;
13.   barr: TBytes;
14.   s: String;
15.   i: Integer;
16. begin
17.   jwt := TJWT.Create;
18.   jwt.Claims.iss:= issuer;
19.   jwt.Claims.exp:= DateTimeToUnix(IncMinute(Now, minutesToExpire));
20.   jwt.Claims.sub:= subject;
21.   jwt.JOSE.alg:= 'HS256';
22.   jwt.JOSE.typ:= 'JWT';
23.   Result := jwt.JOSE.AsEncodedString + '.' + jwt.Claims.AsEncodedString;
24.   LHMAC := THashFactory.THMAC.CreateHMAC(THashFactory.TCrypto.CreateSHA2_256);
25.   LHMAC.Key := TConverters.ConvertStringToBytes(secret_key, TEncoding.UTF8);
26.   barr := LHMAC.ComputeString(Result, TEncoding.UTF8).GetBytes();
27.   s := '';
28.   for i := Low(barr) to High(barr) do
29.     s := s + chr(barr[i]);
30.   jwt.Signature := jwt.Base64ToBase64URL(EncodeStringBase64(s));
31.   Result := Result + '.' + jwt.Signature;
32.   jwt.Free;
33. end;  
34.  

[WayneSherman]

In FPC 3.2.2 there is no signature generation yet...

JWT signing was added to fpc trunk in 2022:
https://gitlab.com/freepascal.org/fpc/source/-/tree/main/packages/fcl-web/examples/jwt
https://gitlab.com/freepascal.org/fpc/source/-/tree/main/packages/fcl-web/src/jwt

jwt commit history:
https://gitlab.com/freepascal.org/fpc/source/-/commits/main/packages/fcl-web/src/jwt

See also:
https://gitlab.com/freepascal.org/fpc/source/-/tree/main/packages/fcl-hash/src
https://gitlab.com/freepascal.org/fpc/source/-/commits/main/packages/fcl-hash/src

[AlexTP]

Updated the wiki info from posts, https://wiki.freepascal.org/fpJWT#Signature_generation