Use JWT (JSON Web Tokens) for token authentication

[mattupstate]

I started work on another extension that adds basic JWT features to a Flask application over at https://github.com/mattupstate/flask-jwt this is a much better implementation for token authentication than what is baked into flask-security at the moment.

[svenstaro]

So port it over and replace current tokens implementation?

[klinkin]

@svenstaro +1

[Diaoul]

+1

[arnuschky]

+1 linked to #250

[jquacinella]

+1

[ryanolson]

+1

[kevgliss]

+1

[joostdevries]

@mattupstate What's the status on this? Need help?

[mr337]

+1

[pdonorio]

+1

[pafmaf]

+1

[zet4]

+1

[mikekhristo]

+1

[renejahn]

+1

[sibelius]

@mattupstate I'm using Flask-Security and Flask-JWT in my project:

This is my use case:

• I have a website in angular that use the Flask-JWT for Token based authentication
• I have another website (just for backend, management, admin stuff) that uses the same User model but uses Flask-Security

I have an interesting problem, Flask-JWT and Flask-Security are probably sharing some headers or session or cookies, so if I logged in one website using Flask-JWT, and then I log in in the other, I will be disconnected from the other website

Do you have an ideia do fix this?

Best

[genxstylez]

any updates on this? I think Flask-JWT could just plug into Flask-Security. or what's the plan?

would love to help.

[pdonorio]

Would like to help too, this issue is really important!

[tomazberisa]

+1 This would be awesome - would love to help.

[zet4]

Really guys, stop +1ing, Github has reactions since forever!

[woshihaoren]

+1

[dland512]

+1 for free speech

[mixmastamyk]

I read flask-jwt swapped out pyjwt for itsdangerous. Is this bug obsolete?

[jirikuncar]

@mixmastamyk You can achieve more or less the same with pyjwt and itsdangerous.

The general question is how do you see the integration with Flask-JWT? What are you missing on Flask-Security side?

[mixmastamyk]

Well, to integrate with flask-restless turned out to be easy. But, figuring out how to piece the parts together took days of reading docs and pulling together clues from stack overflow and github. The results of which are in this tiny file: https://github.com/mixmastamyk/flask-skeleton/blob/master/main/auth.py

With that in place, there's the following not-fantastic code in the main.py file:

from auth import rest_preprocessors
from flask_restless import APIManager
api = APIManager(app, flask_sqlalchemy_db=db, preprocessors=rest_preprocessors)  # protects api

@app.before_request
def before_request():
    ''' Every request should be logged-in, thanks. '''
    endpoint = request.endpoint
    if not current_user.is_authenticated and endpoint:  # sometimes None
        if ((endpoint not in SKIP_LOGIN) and
            (not endpoint.startswith('security.')) and
            (not endpoint.endswith('api')) ):
                return redirect(url_for('security.login', next=request.path))

Perhaps there's a better way to route the different auth methods.

[jirikuncar]

@mixmastamyk I would just replace endpoint.startswith('security.') with request.blueprint == app.config['SECURITY_BLUEPRINT_NAME'] to be completely sure.

[mixmastamyk]

Ok, thanks.

[smn-snkl]

Any update on using Flask JWT Extended with flask-security?

[jminardi]

@mixmastamyk The file you have linked is no longer visible. Have you by any chance worked on jwt integration into flask-security any more?

[mixmastamyk]

@jminardi Actually I've stopped using JWT due to the potential security issues. I could probably dig up that file if you are still interested.

[mixmastamyk]

I found it:

from flask_security.utils import verify_password
from flask_jwt import JWT, jwt_required

from ... import app, user_datastore

# user_datastore = SQLAlchemyUserDatastore(db, models.Users, models.Roles)

def auth_handler(username, password):
    user = user_datastore.find_user(email=username)
    if username == user.email and verify_password(password, user.password):
        return user

def load_user(payload):
    user = user_datastore.find_user(id=payload['identity'])
    return user

@jwt_required()
def example_function(*args, **kwargs):
    pass

jwt = JWT(app, auth_handler, load_user)

[FedericoCeratto]

Related: https://github.com/Flask-Middleware/flask-security/issues/330