aiohttp-jwt icon indicating copy to clipboard operation
aiohttp-jwt copied to clipboard

Published 20 hours ago verified publisher icon hzlmn

Abstact JWT encoding/decoding

Open hzlmn opened this issue 6 years ago • 9 comments

Currently package internally depends on PyJWT library. Would be nice to abstact encoding/decoding/verifying of JWT to AbstractJWTProvider interface and implement builtin based on PyJWT. So users will be able to rely on whatever library they wish.

hzlmn avatar Mar 17 '18 16:03 hzlmn

Some other jwt providers https://jwt.io/

  • python-jose
  • jwcrypto

hzlmn avatar Mar 21 '18 15:03 hzlmn

@hzlmn was any progress made on this - ideally we would like to use python-jose as we could pass a dict of jwks urls with that library. Or do you know of a way we could get that behaviour with the current implementation?

camin-mccluskey avatar Feb 14 '20 21:02 camin-mccluskey

@camin-mccluskey Currently no, as for my needs it was not mandatory and no one requested it before. I will try to come up with something working in next few days. Also if you have in mind some api structure that would work for you, it may be helpful as well.

hzlmn avatar Feb 14 '20 21:02 hzlmn

@hzlmn thanks for your prompt response! Essentially a more close alignment with the auth0/express-jwt library would be great. Particularly the 'multi-tenancy' idea of allowing multiple jwks urls to verify against. Also I was wondering if this could be applied at a router level (as opposed to an app level with whitelisting) - as we would like to be able to set up different authentication strategies for individual routes if possible. Let me know if I can be of any help with this!

camin-mccluskey avatar Feb 14 '20 22:02 camin-mccluskey

@camin-mccluskey thanks for feedback, will take a look on multi-tenancy.

Also I was wondering if this could be applied at a router level (as opposed to an app level with whitelisting)

If i got it right, as a workaround now you can set credentials_required to False and protect individual routes with decorators.

hzlmn avatar Feb 17 '20 09:02 hzlmn

Hey @hzlmn thanks for looking into that, it would be really helpful for us! Apologies but can you point me in the direction of an example of decorators for this use case?

camin-mccluskey avatar Feb 17 '20 11:02 camin-mccluskey

@camin-mccluskey I meant that instead of whitelisting right now you can skip jwt on all routes with setting credentials_required to False here https://github.com/hzlmn/aiohttp-jwt/blob/master/aiohttp_jwt/middleware.py#L18

and then protecting necessary routes with @login_required or @check_permissions https://github.com/hzlmn/aiohttp-jwt/blob/master/aiohttp_jwt/permissions.py#L19-L84

Like in this example https://github.com/hzlmn/aiohttp-jwt/blob/master/example/login_required.py

hzlmn avatar Feb 17 '20 12:02 hzlmn

@hzlmn perfect, thanks! Just FYI, the example given throws an exception - RuntimeError: ('Incorrect usage of decorator.', 'Please initialize middleware first'). I found to make this go away I needed to declare the handlers after initialising the app and middleware

camin-mccluskey avatar Feb 17 '20 12:02 camin-mccluskey

@camin-mccluskey my bad good catch.

hzlmn avatar Feb 17 '20 13:02 hzlmn