authlib
authlib copied to clipboard
lepture
Feature request: provide a default JWT token validator
authlib contains pretty much all you need to implement JWT token validation. It would be nice if there was a simple default one provided. I'm not sure how many moving parts it would have. If no single validator would cover 80% of cases, maybe provide more docs on how to assemble one.
@lepture If you have a general idea of how you would like to see this implemented I would probably be able to do it.
What is JWT token validator? Is this what you want? https://github.com/lepture/authlib/blob/master/authlib/specs/rfc7519/claims.py
I'm sorry to be way too brief again. I meant a Flask BearerTokenValidator that uses a token based on JWTClaims. This is something I quickly came up:
class JWTToken(JWTClaims, TokenMixin):
def get_scope(self):
return self.get("scope")
def get_expires_at(self):
return self.get("exp")
class JWTBearerTokenValidator(BearerTokenValidator):
def __init__(self, realm=None, **decode_kwargs):
super().__init__(realm)
if "claims_cls" not in decode_kwargs:
decode_kwargs["claims_cls"] = JWTToken
self.decode_kwargs = decode_kwargs
def authenticate_token(self, token_string):
token = jwt.decode(token_string, **self.decode_kwargs)
token.validate()
return token
def request_invalid(self, request):
return False
def token_revoked(self, token):
return False
token_validator = JWTBearerTokenValidator(key=SOMEKEY)
ResourceProtector.register_token_validator(token_validator)
require_oauth = ResourceProtector()
This is flexible enough to validate, for example, a token generated by Auth0 by setting key to a function that gets the key from a JWKS and claims_options to validate issuer and audience.
Is there a RFC? Authlib won’t contain it if there is no standard RFC. You can share your idea in your blog. Or I can put your idea in https://blog.authlib.org/
No, I don't believe the use of JWT as access tokens is covered in any RFC (apart from being the same mechanism used for id tokens). However, it is in common use with commercial identity providers. The code above is merely glue between existing parts of authlib, in the same way as OAuth2TokenMixin is used to bridge the ResourceProtector to the Authorization Server.
I appreciate authlib's focus to implement the RFC building blocks. It's not trivial, however, to put together those building blocks into a application, so I thought some guidance would be nice. I think something like the code above would do it, but whether to include it in the code or add it to the docs (or in a closed GitHub issue :wink:) I'll leave to you. Whatever you decide, I can do a PR with the change if that is useful.
@jcassee did this ever get implemented? i'm also trying to do something similar with a Flask Rest API and was wondering if there's any custom code that can validate JWT tokens provided by a OpenID server
i'm not sure if this RFC is official though: https://tools.ietf.org/html/rfc7523
@DustinKLo the RFC you pointed is not related to this issue. But this RFC is already implemented in Authlib.
I've added a built-in JWT Bearer token generator and validator into RFC7523. But there should be a documentation for it.
https://github.com/lepture/authlib/commit/695af265255853310c905dcd48b439955148516f
No, I don't believe the use of JWT as access tokens is covered in any RFC
It's now covered in https://datatracker.ietf.org/doc/html/rfc9068 - would you be interested in a PR @lepture?
Close this issue in favor of #427. There is a standard for JWT access token now.