search

ajkavanagh / pyramid_jwtauth

JSON Web Token (JWT) Auth plugin for Pyramid
12 stars 9 forks source link

Support for Authorization header with token= #12

Open wichert opened 8 years ago

wichert commented 8 years ago

Not all implementations use key-value pairs for JWT. Multiple implementations and various examples floating around on the web use the token directly:

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjF9.bg_buLtXhM78BxYfKb_qw2YvmvS9Bf-RT0b_Kgug98g

This is not support by pyramid_jwtauth currently: it insists that the you use token="...." format. So far I have not found any other implementation that uses that pattern as well, which makes me think that at least pyramid_jwtauth should not require that, and perhaps should not default to requiring it at all.

bfin commented 8 years ago

+1 I'm assuming the Bearer token="aaa.bbb.ccc" format is used because that's what is used in macauthlib / pyramid_macauth, where an auth header takes the form:

Authorization: MAC id="h480djs93hd8" ts="1336363200" nonce="dj83hs9s" mac="bhCQXTVyfj5cmA9uKkPFx1zeOXM="

I'd gladly put together a PR, just need to know if both forms need to be acceptable. Like @wichert, I've never seen the Bearer token="aaa.bbb.ccc" format used for JWT. Seeing as @ajkavanagh already has a disclaimer at the top of the README warning about likely code changes, my vote would be to use the more standard Bearer aaa.bbb.ccc format and raise a ValueError for malformed headers.

wichert commented 8 years ago

@bfin I'ld love to see a pull request. If @ajkavanagh does not merge it I'll just switch to your branch :)

wichert commented 8 years ago

FWIW my current workaround is to have my APIs return token="...." as API token, which looks pretty awful to users.

marioidival commented 8 years ago

To work correctly with Barear, see: https://github.com/marioidival/pyramid_jwtauth/commit/bdaa8bd625a234cd06ba2b591ad8940583a4929d

wichert commented 8 years ago

FWIW I started writing pyramid_jwt as an alternative to add JWT support to Pyramid. The code is a little bit more opinionated and exposes a simple API to create new tokens from views making it a bit easier to use.

bfin commented 8 years ago

@wichert That's great -- checking it out now

wichert commented 8 years ago

@bfin Looking forward to any feedback. Keep in mind it's still very new, so documentation is not complete yet (but does include an example to address #4) and there may be a few remaining bugs.