Overview

As businesses increasingly rely on APIs to connect services and applications, securing these data pipelines is very important. This use case outlines how we implemented a robust JSON Web Token (JWT) authentication system for a client's Joomla core API, ensuring that API access was restricted exclusively to registered and authenticated users.

Prerequisites

This use case has been seamlessly implemented using the plugins listed below. To achieve this, you will need to install these plugins on your Joomla instance.

Custom API Extension for Joomla

The Custom API plugin allows you to create custom endpoints/REST routes to fetch/modify/create/delete data in Joomla.

Download Extension

Challenge

The client needed to expose their Joomla site's data and functionality through an API for use in external applications. However, the default access controls were insufficient for their security requirements. The core challenge was to implement a user-based JWT authentication system. This meant that access to the API couldn't be open or based on a simple, static API key; it had to be dynamically granted only to users with valid login credentials on the Joomla site.

Solution

We designed and developed a custom authentication flow that integrates directly with Joomla's user management system. The solution involved creating a dedicated API endpoint specifically for generating JWT tokens. This approach ensures that every API request is securely validated without repeatedly exposing user credentials.

This JWT-based solution provides several advantages:

• Enhanced Security: Tokens are digitally signed and can be verified by the server, preventing unauthorized access.
• Stateless and Scalable: The server doesn't need to store session information for each user, making the API more efficient and scalable.
• Controlled Token Lifespan: By allowing an expiry time to be set, tokens automatically become invalid after a certain period, reducing the risk of compromised tokens being misused.
• Seamless Integration: It leverages the existing Joomla user database, so there's no need to manage a separate set of credentials for API access.

Implementation

The authentication process was implemented in two distinct phases: token generation and token validation:

• Token Generation:
• A user must first request a token by sending their credentials to a new, secure endpoint.
• This request must contain their Joomla username and password. Additionally, a predefined secret key and a desired expiry time must be supplied.
• Our system validates the username and password against the Joomla user database.
• If the credentials are correct, a unique JWT is generated, signed with the secret key, and sent back to the user.
• API Access with Token:
• To access any protected Joomla API endpoint, the user must include the generated JWT in the Authorization header of their request.
• A middleware layer on the Joomla site intercepts every API call, checks for a valid JWT in the header, and verifies its signature and expiration date.
• If the token is valid, the request is processed. If it's missing, invalid, or expired, the API immediately returns a 401 Unauthorized error, blocking access.

Result

By creating this custom JWT authentication system, we successfully secured the client's Joomla API. The solution provides a modern, secure, and scalable method for user authentication that is tied directly to their existing Joomla user base. The client can now confidently connect their website to other services and applications, knowing that their data is protected and that access is strictly controlled on a per-user basis.

Additional Resources

1. Custom API Authentication for Joomla
2. Web3 Authentication for Joomla
3. Joomla Security Shield