Bearer authentication

[viniciussanchez]

Hi, I would like to know why to request a JWt token, do I have to use the POST method? And why did you create custom headers, being the default and using header authorization? If I make the settings to leave the API according to the Web standard, will you accept the pull request?

[fastbike]

Which flow are you using ?

E.g. https://auth0.com/docs/api-auth/which-oauth-flow-to-use

[viniciussanchez]

I have a server using DMVC, where it is responsible for receiving the user and password and generating the JWT token.
The DMVC is forcing me to use custom headers as long as header authorization already exists for this as a default. The DMVC is also forcing me to request my token through the POST method on how much it should be GET since I am not passing anything on the request body.

On the server that will be authenticated by JWT, it is also wrong. It forces me to pass the token on the Authenticate header as long as the default is the Authorization header. And the DMVC is still validating the header content as follows: "bearer dgasdkghdaskfghfasdf", while the default is "Bearer askfgsdkfghjkfalsdfglfkj"

[viniciussanchez]

See more:
https://jwt.io/introduction/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization

[viniciussanchez]

I can adjust and perform the pull request if I can ...

[joaoduarte19]

You can define the name of your header when creating JWT middleware.

FEngine.AddMiddleware(TMVCJWTAuthenticationMiddleware.Create(
      TAuthenticationController.Create,
      LClaimsSetup,
      'MySecret', { Secret }
      '/api/login',
      [TJWTCheckableClaim.ExpirationTime, TJWTCheckableClaim.NotBefore, TJWTCheckableClaim.IssuedAt],
      300,
      'Authorization', { Header token }
      'username',      { Header UserName }
      'password'       { Header Password }
    ));

[viniciussanchez]

Yes I Can! But why define a name being that a pattern already exists?
And still, it still has several differences, as said the word Bearer locked with lowercase letter, the method forcing to be POST, I still have to set the user headers and password and there is already a default for this.

[viniciussanchez]

The Horse for example follows the correct pattern.

[viniciussanchez]

See more in (RFC 6750):
https://tools.ietf.org/html/rfc6750#section-2.1

[danieleteti]

Thanl you for your notes @viniciussanchez .
Your PR will be appreciated.