API support for multiple secrets? #91
Comments
|
I'm sure we could add support for this into the application. My initial reaction would be to prefer something like Cheers. 👍 |
|
Sorry for the delay in this, the past month has been crazy hectic. I'm hacking on something right now that would allow you to pass in optional kwargs to the protected endpoints, then setup a configuration context to be used during the request. It will look something like this: @jwt_required(secret_key='foobarbaz')
def foo:
return jsonify(hello='world')Any relevant options that would be used during a request will show up as kwargs in here. I'm hoping to have this finished up in the next couple days. Cheers. |
This should be good to go. I want to add a few more tests in here for completeness sake, and sit on this for a few days to make sure I'm happy with the changes and maintaining this feature in the future, but I don't expect any issues here.
|
I did some more work on the ability to have totally different option contexts at any stage in the extension, and after coming up with a solution, I decide I really didn't like the added complexity and edge cases that feature got us, compared to the general usefulness it provided. I since changed back to my original plan of adding a single Because I have gone back and forth on how I want to implement this a few times, I'm gonna finish adding the last features, then sit on it for a few days before pushing out a new release, just to make sure I'm happy with how it all turns out. Cheers. |
|
No worries re: delay--our interest in using multiple secrets is a future to-do item that is probably a few months down our list. Picking at the feature has been on my to-do list as well, but it's been a busy few weeks. I agree with both sitting on the changes until you're confident and not significantly complicating the extension if the full set of options does so. I'm in a different mental code context at the moment and don't want to break it by reviewing relevant code, but AFAIR the secret key is the most obvious setting. When I originally mentioned a full config option, I think I was imagining some consumers wanting key-specific default expiration deltas and such, but it's not that much more complex for them to specify app-specific config values and use those to generate different expiration times on token creation. |
|
is this issue still relevant ? |
|
It is. I have the work largely done for this, but never got around to finishing it up and adding unit tests. I’ll revisit this when I have some free time and see if I can finish it up |
|
Would be really awesome 😄 |
|
Similar question: What about supporting multiple |
|
I was thinking about this more last week, and I think it would be really cool to have something like a Thoughts? |
|
Sounds great. With something like this you could both support multiple private-public-keypairs and keys for symmetric encryption. |
|
I agree that there's value in a more versatile implementation. I think the JWT data would be enough in our case. I do wonder if someone would want to return distinct keys for different applications of a JWT format that are programmatically indistinguishable without more context (endpoint? function name/object? kwargs passed through the decorator?) than just the JWT data? I'm stretching to invent a plausible example, but perhaps to support distinct login endpoints/keys for users/partners/admins. Thinking through that example, I guess it's easier to just document that anyone who needs this should either imbed a distinct value in otherwise indistinguishable JWTs per use-case, or fish what they need out of the request object? |
|
Yeah, that's a good point. Although all the information could be retrieved from That said, I'm leaning towards the identifiers in the JWT being good enough, it seems like it would be a pretty natural fit for the use cases I'm coming up with. Very similar to how role base authentication is normally handled. Thanks for the feedback! 👍 |
|
Are there any news on this? A Cheers |
|
Sorry, I know I’ve been saying I would finish this forever now. I’ve been stupid busy at a newish job and haven’t gotten around to it yet. I’ll put this at the top of my list of things to do. In the mean time, if anyone else needs it now and wants to submit a PR I would be more then happy to work with them to make sure it looks good and get everything merged. |
|
No worries, just wanted to make sure you weren't already working on it in case I attempt a PR. I can take a stab at it, hopefully in the next few days. |
|
+1 waiting for this feature too. Do you have some branch for this feature already? |
|
Implemented decode key callback in #191 Not sure if encode key callback can be done without breakage, I think signatures of encode methods here would have to change at least https://github.com/vimalloc/flask-jwt-extended/blob/master/flask_jwt_extended/tokens.py#L35 |
|
Thanks for your work on the decode token! I've gotten that merged, it looks great! Per the encode tokens, https://github.com/vimalloc/flask-jwt-extended/blob/master/flask_jwt_extended/tokens.py#L35 isn't exported in the API, so I'm totally cool if this changes. We will make a note of it in the release notes in case someone is using it, but I specifically make no guarentees to these helper functions so that making changes to the extension is as easy as possible. As long as https://github.com/vimalloc/flask-jwt-extended/blob/master/flask_jwt_extended/utils.py#L98 doesn't change (which calls https://github.com/vimalloc/flask-jwt-extended/blob/master/flask_jwt_extended/jwt_manager.py#L420 behind the scenes), then I'm totally happy. Thanks for contributing 👍 |
|
This has now been released in v3.13.0. Check out the documentation for the custom decode key and the custom encode key Cheers! 👍 |
We've considered using a JWT as a relatively long-lived server-to-server API key (for a handful of first and second-party servers) that specifies permitted endpoints/restrictions/etc, on which we'd use blacklisting. We've also considered various short-lived client authorization uses where we don't really need to worry about blacklisting.
I'm not sure how much it would matter in reality, but I would be a little more comfortable using JWTs for both purposes if it was trivial to specify separate secrets for each use case. This would:
One approach might be using the existing config vars when the decorators are used normally, and adding support for explicitly passing one or more secrets to the decorator. I think this could be reasonably intuitive:
A more robust version might be for the decorators to accept your config objects, along with a factory that'll generate a config object as you do currently (with defaults from app.config), but override any user-supplied values.
The text was updated successfully, but these errors were encountered: