Abstact JWT encoding/decoding

[hzlmn]

Currently package internally depends on PyJWT library. Would be nice to abstact encoding/decoding/verifying of JWT to AbstractJWTProvider interface and implement builtin based on PyJWT. So users will be able to rely on whatever library they wish.

[hzlmn]

Some other jwt providers https://jwt.io/

• python-jose
• jwcrypto

[camin-mccluskey]

@hzlmn was any progress made on this - ideally we would like to use python-jose as we could pass a dict of jwks urls with that library. Or do you know of a way we could get that behaviour with the current implementation?

[hzlmn]

@camin-mccluskey Currently no, as for my needs it was not mandatory and no one requested it before. I will try to come up with something working in next few days. Also if you have in mind some api structure that would work for you, it may be helpful as well.

[camin-mccluskey]

@hzlmn thanks for your prompt response! Essentially a more close alignment with the auth0/express-jwt library would be great. Particularly the 'multi-tenancy' idea of allowing multiple jwks urls to verify against. Also I was wondering if this could be applied at a router level (as opposed to an app level with whitelisting) - as we would like to be able to set up different authentication strategies for individual routes if possible. Let me know if I can be of any help with this!

[hzlmn]

@camin-mccluskey thanks for feedback, will take a look on multi-tenancy.

Also I was wondering if this could be applied at a router level (as opposed to an app level with whitelisting)

If i got it right, as a workaround now you can set credentials_required to False and protect individual routes with decorators.

[camin-mccluskey]

Hey @hzlmn thanks for looking into that, it would be really helpful for us! Apologies but can you point me in the direction of an example of decorators for this use case?

[hzlmn]

@camin-mccluskey I meant that instead of whitelisting right now you can skip jwt on all routes with setting credentials_required to False here https://github.com/hzlmn/aiohttp-jwt/blob/master/aiohttp_jwt/middleware.py#L18

and then protecting necessary routes with @login_required or @check_permissions https://github.com/hzlmn/aiohttp-jwt/blob/master/aiohttp_jwt/permissions.py#L19-L84

Like in this example https://github.com/hzlmn/aiohttp-jwt/blob/master/example/login_required.py

[camin-mccluskey]

@hzlmn perfect, thanks! Just FYI, the example given throws an exception - RuntimeError: ('Incorrect usage of decorator.', 'Please initialize middleware first'). I found to make this go away I needed to declare the handlers after initialising the app and middleware

[hzlmn]

@camin-mccluskey my bad good catch.