We use the TjwtMiddleware with sparkle and xdata that validates the JWT: FXDataServerModule.AddMiddleware(TJwtMiddleware.Create('AAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA'));
Until a recent update the component returned simple messages such as:
"Invalid JWT"
"Token expired"
These have been changed to more complex messages:
JWT (claims: {"iat":1658408565,"nbf":1658408515,"exp":1658412165,"iss":"","sub":"{A418530E-819A-4393-9F9D-99ACBCB4A999}","typ":"Bearer","aud":"XXX","sid":1031,"scope":""}) rejected due to invalid claims.
Validation errors:
The JWT is no longer valid - the evaluation time [2022-08-23T12:44:02.299Z] is on or after the Expiration Time [exp=2022-07-21T14:02:45.000Z] claim value .
We relied on the response messages to determine whether tokens needed to be refreshed. The HTTP code 401 is not sufficient.
I can create a descending TJwtMiddleware (JWT Authentication) and create my own codes. But I do have to interpret the new complex message which can be changed in a new update. And therefore is unreliable.
Questions:
Why is it changed?
What should be used to realiably determine why the JWT has been declined? Is there a code that should be used instead of the message?
Exactly to provide more detailed information about what happens to the JWT. There might be many reasons for failing, and now the error message is more specific about what happened.
The message is still the way to go. Note that a JWT is just a JSON encoded in Base64. You can check the expiration time before sending it to the server. This avoids having to parse the response, and avoids having to do roundtrips to the server just to find out the token is expired.
We have made some changes on the server and now use our own descendant of TJwtMiddleware to create a response message.
When testing this with a Postman client we see the 401 response code with our own (custom) message 'JWT is no longer valid'
However when using a TXDataClient in Delphi we dont get the custom message. Instead we get 'Unauthorized' no matter what we try.
So far we tried catching the exception as E: Exception and as a EXDataOperationRequestException but both failed to produce the custom response.
Using the EXDataOperationRequestException we are able to get more info from the response Message (still not our custom text):
XData server request error.
Uri: http://xxx.xxx.xxx/yyy/yyyy/
Status code: 401
Unauthorized
Any suggestion on how to get the custom message at the client?