I have a Data Abstract service implemented in Delphi which must be authenticated using a JWT Token.
Normally, I would expect this to be done through the OnHTTPAuthentication event.
But there is a catch:
The server must also issue the JWT token through the login call.
That means that the login call must be allowed to pass without JWT Token, and all other calls must only be allowed when the JWT Token is valid.
However, when the OnHTTPAuthentication event is triggered, it is not yet known which call is going to be executed. So this event is unable to decide whether a JWT token is required or not.
At this point the Session ID token is also unavailable, since it is encoded in the message.
So I am not able to flag the RO-Generated session as authenticated or not.
Manually creating/destroying a session is also not an option, since I see no way to pass on the new session ID to the further processing of the message.
How can I solve this ?
An additional issue is that the OnHTTPAuthentication event parses the authentication header in username/password, which is of course not correct for a bearer token. This can be worked around, since the http request instance is passed to the event, but this is not very elegant. Maybe a separate class to handle could be created ?
Any insights are appreciated!