After some search and some investigating, I don’t have great results of one part of the JWT use cases.
The use case is: the client generates a JWT token by request on the API. Before the client can send the first request, it’s needed to register the client’s public key into the rights manager of API.
After the public-key exchange between the Client and API, the API allow the client’s queries because all JWT tokens are signed with the client’s private key and the API can verify the signature.
For this, I have written a proof of concept available here.
The branch master contains 2 parts:
- The WebServer part, written with Silex and handle the JWT with a middleware before the controller.
- The client part, written in flat PHP who send 3 queries. The first, get the list of objects, the second add an element into list and the third get the list with the new element.
The branch with_guard it’s same branch master but the middleware has been removed and replaced by a Guard Authenticator.
In this case, the client is the user and you can use the role system for check the client’s rights.
Have you some idea or API who can use this case ?