Introducing mORMot-JWT: a “new” JWT implementation

JWT stands for JSON Web Tokens and it is a very popular technology used to implement custom-content tokens across REST services.

The JWT logo


Even if it is generally much over-rated and have its own drawbacks (especially when dealing with security), it is becoming something like a de facto standard for Web and REST applications authorization/authorization mechanisms.

You can read a nice introduction to JWT here.

I have used JWT since the end of 2015 as a default implementation for authentication/authorization mechanisms in MARS-Curiosity (a REST library for Embarcadero Delphi). The central topic of a JWT library is of course about token signing (through HMAC SHA256, for example) and so far I used (a fork of mine of) a library named JOSE JWT that relies on OpenSSL to implement cryptographic functions and thus forces you to distribute OpenSSL with your software.

Given deploying OpenSSL is becoming more and more a burden to match security requirements and given the Synopse team implemented JWT in mORMot project a while ago (link), I decided (after having discussed this a couple of times with Arnaud) to “steal” a mORMot JWT subset implementing JWT 🙂

If you have been to some of my sessions about MARS, you surely have seen me struggling with OpenSSL DLLs missing here and there… well, this is the day this will come to an end! Apart from this, there are a number of reasons this is a move forward for the MARS projects:

  1. as I said, one less external dependency for your application servers (on Windows platform);
  2. the mORMot implementation is faster (at least 5 times faster in some scenarios even I didn’t do serious benchmarking yet);
  3. the mORMot implementation has a stronger community behind and so I am more confident about feature and bugfixes;
  4. this is not the first piece of mORMot I integrate to MARS (see the dMustache integration covered by the “mustache” demo in MARS) and maybe it will not be the last (I always wanted to have MARS running on top of the mORMot’s http server http.sys implementation [as well as on top of TMS Sparkle, BTW] and I am also considering adding built-in compression for MARS using mORMot highly optimized compression utilities).

So I created the mORMot-JWT repository on with a relatively small subset of mORMot files needed to implement JWT in any Windows application (feel free to use it wherever you may need! I will soon ask to inlcude it in the library list for Delphi). Obviously all the code is by Synopse team and I did nothing else than copying some files in the new repository, trying to get the smallest part (but not tampering too much with the original files, in order to ease upgrading to newer versions).

Here is an example of use (link):

uses (...)
, SynCommons, SynCrypto, SynEcc, SynLZ;

  LJWT: TJWTAbstract;
  LToken: string;
  LJWT := TJWTHS256.Create(StringToUTF8(ASecret), 0, [jrcIssuer, jrcSubject], [], 60);
    LToken := UTF8ToString( LJWT.Compute(['LanguageId', 'IT', 'CurrencyId', 'EUR'], 'MyApp', 'TheUser') );
    WriteLn('Token: ' + LToken);

Then I refactored MARS to support both JOSE and mORMot-JWT library in a manner that mORMot-JWT will be the default implementation for all Windows platforms and still keeping JOSE for non-Windows ones (mORMot does not currently support Delphi Linux compiler and ARC-enabled Delphi compilers) and also added tests to ensure the two libraries would have a coherent behavior throughout MARS.

Please upgrade your MARS projects by adding the following units inclusion IFDEF (in the Server.Ignition.pas file or wherever you are defining your TMARSEngine instance):

, MARS.mORMotJWT.Token

And also remember to add ‘(…)MARS/ThirdParty/mORMot/Source’ to your library path before recompiling the MARS package groups.

Enjoy! 🙂

PS: this is not the only new feature I added to MARS recently (more blog posts will come) 🙂

One thought on “Introducing mORMot-JWT: a “new” JWT implementation

  1. Claudio Piffer says:

    Great work Andrea!!!!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.