How to send JWT token from PHP to Angular?

Question

So I'm unfortunately still trying to get a good grasp of the flow my app has to go through to provide authentication. So I plan on making an Angular app with a PHP back-end. To get a JWT, a user will provide their email/password as the body of a HTTP post request that will be made to a PHP file.

Inside that file, the database will be hit to check their credentials, and if they are valid, they will need a JWT provided to them. My question is, how will I send that JWT token to the front-end?

• Doing a simple echo json_encode($jwt) I imagine would be a bad idea.

• I could use PHP's setcookie() to send a cookie along with the rest of the HTTP headers. And I could set that cookie as httpOnly to make it even more secure, but I would need to add another cookie to prevent against XSRF attacks.

• Once the client actually has the JWT token, I know I could use the Bearer authentication scheme and pass the token inside the Authorization HTTP header, and then the PHP file could grab the token by looking at the header. But could I also use the Bearer authentication scheme and use that Authorization HTTP header to pass the newly created JWT token from the PHP file to Angular?

Sorry if this is a bit confusing. If you have any questions, just post a comment.

Answer 1

What's wrong with simply setting the jwt in the cookie or just returning the jwt, or even adding to the response's header?

The way I see it, is it all depends on how you want to read it on the client-side. If we're talking about standards, well then, in the header of the response or set cookie is probably the most standard way to do it but nothing is stoping you / there isn't a rulbook from returning it as json for example

Any security validation should be on the server side of things, because nothing is stopping me or you from just manipulating javascript and try to blow up the server. Receiving it with json_encode or on the Response's header or even the cookie, I will have access to it. After all, I need it to make further requests.

The thing about JWT is, that underneath string combination, there is data, like username, email, (password?), and expiration_date. You can combine any information you want into the $jwt, and it's using a secret (only known to your back-end) to cypher it and then return it to the user. Whenever the user makes a request, you need to:

1. Verify if is receiving an authorization token (jwt) in the HTTPRequest

2. Verify if the token is valid and if the content is valid (like for example, expire_date).

If you're looking for possible security breaches on this topic (and this topic I mean, authenticating and making sure the user who requested it receives the token), one of them is Man in the middle, but nothing that an HTTPS connection won't solve