ColdBox Security Module
Search…
v2.x
Introduction
Intro
Release History
About This Book
Author
Getting Started
Installation
Overview
Configuration
Usage
Authentication Services
Security Rules
Security Annotations
Secured URL
Interceptions
cbSecurity Model
Cross Site Request Forgery
Security Validators
CBAuth Validator
CFML Security Validator
Custom Validator
JWT
JWT Services
JWT Validator
Refresh Tokens
Token Storage
JWT Interceptions
External links
Source code
Issue Tracker
cbauth
cbcsrf
JWT CFML
Powered By GitBook
JWT Validator
Now that we have all the pieces in place for JWT, we can now register the JWT validator as our validator of choice for requests which in our case it is the same JWT Service that will take care of the validation: [email protected].
The validator will inspect the incoming requests for valid jwt authorization headers. It will be in charge of verifying their expiration, their required claims, and the user it represents. Once that is done, it goes in the same rule/annotation security flow that cbsecurity leverages.
config/Coldbox.cfc
cbsecurity = {
validator = "[email protected]"
}

Module Override

Each module can also override their validator via it's configuration setting cbsecurity.validator. So if the global validator is something other than jwt but your module REQUIRES JWT validation, then just add it in your ModuleConfig.cfc
settings = {
cbsecurity = {
validator = "[email protected]"
}
}

JWT Token Discovery

The JWT validator will discover the incoming JWT token from 3 sources:
  1. 1.
    authorization header using the bearer token approach
  2. 2.
    Custom header configured in your settings: cbsecurity.customAuthHeader
  3. 3.
    Incoming rc variable with the same name as cbsecurity.customAuthHeader

Token Scopes & Permissions

If your rules have the permissions element or your secure annotations have context, then we will treat those as the scopes/permissions to check the user/token must have at validation.
Scopes
Auth0 Docs

Validator Process

The validator will have the following validation process:
  • Verify the jwt token exists via the authorization header or custom header x-auth-token or incoming rc[ 'x-auth-token' ]
  • Verify we can decode it
  • Verify if it has not expired from the token itself
  • Verify it has the required claims
  • If token storage is enabled, verify the token in the permanent storage
  • Verify the subject (sub) claim and try to retrieve the user it represents
  • Try to authenticate the user for the request
  • Verify the subject has the right permissions or the token has the right scopes attached to it.
  • If all is valid then place the token in prc.jwt_token and the payload in prc.jwt_payload
  • If all is valid then place the user object in prc.oCurrentUser or the variable of your choice via the cbsecurity.prcUserVariable setting.
  • Continue or block
That's it! You can create your rules and annotations just like your used to, but now the validator will make sure valid JWT tokens are passed for those requests.
JWT - Previous
JWT Services
Next - JWT
Refresh Tokens
Last modified 11mo ago
Copy link
Edit on GitHub
Outline
Module Override
JWT Token Discovery
Token Scopes & Permissions
Validator Process