Issuing an access token for third party API (Flutter SDK)

Backendless Version: 5.2.14, Online (Trial Cloud 99)

Client SDK: Flutter

Hi everyone,
is there a way to issue an access_token in JWT format for our own REST-API with included custom claims / roles?
The Method ‘Backendless.userService.login’ of the Flutter SDK does not return an ‘user-token’ in the response, unfortunately. I thought that this property might fulfill my intended use case while reading the docs.

Best regards,
Ludwig

Hi, Ludwig.

The Method ‘Backendless.userService.login’ returns BackendlessUser object which contains String token:

Backendless.userService.login("email@email.com", "password").then( (loggedUser) {
    // loggedUser.properties["userToken"]
  });

But we don’t use JWT tokens in Backendless.

Regards,
Andrew.

Thanks Andrii for the fast reply!

The key you provided isn’t in the set either. Here are all properties:

{lastLogin: 2019-07-09 09:48:40.837, userStatus: ENABLED, created: 2019-07-08 12:22:54.690, name: null, ___class: Users, socialAccount: BACKENDLESS, ownerId: xxxx-xxx--xxx--xxxx, updated: null, email: myemail, objectId: xxxx-xx-xxxxx-xxxx}

There is an endpoint for validating user-ids:

https://api.backendless.com/<application-id>/<rest-api-key>/users/isvalidusertoken/<userToken>

The third party API could call this endpoint with the provided user-token from the mobile app. But this would introduce an extra network call for every request…
A dedicated access_token with custom claims and a private key to ensure authenticity is the feature I was looking for.

Either way, thanks for your time!

Best regards,
Ludwig

Hi @Ludwig_Leuschner!

The issue is that we don’t store the user token in Android object of BackendlessUser. So there is no access to it in Android SDK.
Nevertheless the token is available in other SDK, like iOS-SDK or REST API.
If you need to get access_token, you can make rest call and receive it like this:

Screenshot%20from%202019-07-09%2014-50-48

Best regards,
Maksym

@Ludwig_Leuschner, can you please tell us why do you need backendless token and describe your use case?

Regards,
Maksym

Hi @Maksym_Khobotin,

sorry, didn’t recognize your response.

I intent to outsource the user management from my own backend. Additionally I want to configure custom claims in a JWT-Token (eg over the backendless web GUI), in order to check the access authorization when handling the request at my own API.

Your Flutter SDK was a charm to implement, but if this flow is not possible, it is, unfortunately, a dealbreaker for me.

Best Regards

Ludwig

Hi @Ludwig_Leuschner

I understand your problem. We will discuss it with a team tommorow and will let you know once we find the solution for your issue.

Best Regards,
Maksym

Hi @Ludwig_Leuschner,

Could you please specify where the login to Backendless will be taking place? Is it done on your server or in a flutter app? What would be very helpful (so we can suggest a solution) is to understand the data flow you envision in your app (both the client-side and the server-side).

Regards,
Mark

Hi @mark-piller ,

the registrations and logins should take place in the Flutter-App against the Backendless-API, if necessary our own API could redirect to backendless API, if a secret is needed, which can (obviously) not be shipped with the app.
After the user is logged in and the access_token is obtained, the app can perform requests against our own API, which will validate the access_token and return data if the access_token is valid.

I hope this will help you.

Best regards,
Ludwig

Hello @Ludwig_Leuschner

Thanks for the detailed description, we started investigate in this direction.

Hi @Volodymyr_Ialovyi,

thank you very much. Just let me know if you make progress.

Best regards
Ludwig

Hi, @Ludwig_Leuschner

Just for clarification, what scenario do you need to implement:

  1. Authorize with Backendless SDK, get the access_token from SDK and add the header with a token for requests to your own API. In this case we need to implement the getter method for headers in our Backendless SDK.
  2. Authorize with your own API, get the access_token from your API’s response and add the header with a token to Backendless requests. In this case we need to implement the setter method for headers in our Backendless SDK.

We will be glad to hear back from you.

Best Regards,
Maksym

Hi @Maksym_Khobotin ,

for my use-case it would be 1.