Perhaps a "dumb" question, but how do I process the access token - obtained from a Sphinx server - in an XData server?
I understand it with the JWT access token (in demo) but that's merely because the XData server generates the token and can compare. XData has no knowledge whatsoever of a token that was generated by Sphinx, so how can it be validated?
Is there any good demo code, as I cannot seem to find it on my installation.
If you use symmetric keys (sign the token with a secret), then the Sphinx server and XData server should share the secret. So Sphinx signs the JWT with the secret, and XData uses the same secret to validate.
You can use asymmetric keys. The Sphinx server signs the token with its private key, and then you use the respective public key from XData to validate the token.
We have demos for both situations. For 1, it's the regular Sphinx simple demo. Also, in XData demos you have JwtAuthDemo which shows both options in action. Finally the BIZ-Boilerplate project in GitHub also shows public/private key usage.
Thanks for the info but the more I read, the more I seem to get confused. My main "struggle" at this point where to implement the signing:
In the XData server it appears that I must add the JWT middleware in order to use the GetSecretEx event for validating the signature.
Looking at the Sphinx Simple Demo, I see the TSphinxConfig.OnConfigureToken and the TSphinxConfig.OnGetSigningData events implemented. My understanding is that the former is used to "build" the token (payload etc.) and the latter to return the secret (equivalent of JWT GetSecretEx?)
Is my understanding of the above correct? If not, can you perhaps describe in a few simple steps the required workflow (for XData, Sphinx and a VCL client). Just some simple steps. I'll figure out the code myself from the many examples.
Thanks in advance!
PS: Due to circumstances it may take a while for me to respond further.
The JWT middleware is the one that decode requests sent with JWT and set the Request.User property based on what it found. It also rejects requests with invalid JWT and, if you forbid anonymous requests, it also rejects requests without JWT.
So, you do not must add a JWT to your server - it's up to you, of course. But if you don't, your server will be open to anyone.