fpJWT

fpJWT unit is a part of FCL-Web package in Free Pascal. It provides implementation for "JSON Web Tokens".

Example for login

Q: Where can I find an example of using JWT for login?

A (by forum member PierceNg):

In HTTP, a JWT is transmitted in request header like this: "Authorization: Bearer <jwt>". The server uses that info to make security decisions.

How is the JWT issued to the HTTP client in the first place? By means of some authentication mechanism.

What authentication mechanism? Depends on client. Different for human driving web browser that is running an SPA and automated client making REST calls, as examples.

  jwt:= TJWT.Create(TJWTClaims);
  try
    jwt.Claims.iss:= issuer;
    jwt.Claims.exp:= Now + EncodeTime(0, minutesToExpire, 0, 0)]);
    jwt.Claims.sub:= subject;
    jwt.JOSE.alg:= 'HS256';
    jwt.JOSE.typ:= ''JWT;
  finally 
....

It should be an authentication component that issues the JWT. I assume your CGI program will consume the JWT. How does the client of your CGI handle issuance and use of the JWT?

Some useful reading:

• https://blog.paolorossi.net/jwt-authentication-with-delphi-part-1/
• https://blog.logrocket.com/jwt-authentication-best-practices/
• https://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf

Custom claims

Q: I´m porting an application from Delphi, and with Paolo Rossi JWT implementation is possible to add custom claims. I took a look into the source and couldn't figure out how to do it.

A (forum member PascalDragon): You need to create a descendant of TClaims with the custom claims as properties (please note that the property names will be used as is for the claims, so mind the casing). See the example in /packages/fcl-web/examples/jwt/signrs256.lpr.