michaelconan
commented
3 months ago Additionally implement scopes (at least read+write) with wrapper to validate scopes for routes.
- Specify allowed scopes for user / client in table
- Validate requested scopes in token request, add scope claim to JWT
- Verify JWT scopes include minimum required for route
from functools import wraps
from flask import request, jsonify
from flask_jwt_extended import verify_jwt_in_request, get_jwt
def jwt_scopes_required(required_scopes):
def wrapper(fn):
@wraps(fn)
def decorator(*args, **kwargs):
verify_jwt_in_request()
claims = get_jwt()
token_scopes = claims.get("scopes", [])
if not all(scope in token_scopes for scope in required_scopes):
return jsonify(msg="Missing required scopes"), 403
return fn(*args, **kwargs)
return decorator
return wrapper
Effectively just use standard conventions for authorization endpoints and payloads, still leveraging JWT.
At a minimum, implement:
See examples on the site.