Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

flask-jwt How handle a token?

Tags:

python

flask

jwt

flask-jwt

I'm new using JWT and flask-jwt so I run the example where I find in docs. I read this to get a better understanding of JWT.

But now I wonder how I should handle more than one token? I mean, a user post his credentials to "myserver/auth" and then return a token to a client. When the client send a new request he should sent the token.

My question is how I know what "token" belongs which user and where "tokens" are stored?

like image 323
Ricardo Avatar asked Oct 30 '22 17:10

Ricardo

1 Answers

JWTs consist of three parts separated by dots (.), which are:

  • Header
  • Payload
  • Signature

Therefore, a JWT typically looks like the following.

xxxxx.yyyyy.zzzzz

Let's see a brief summary according to RFC and this

Header

The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm such as HMAC SHA256 or RSA.

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. This is the interesting part because inside the token we can check which your belongs. { "userid": "1234567890", "expiration_date": "2016-05-129" }

When we generate a new token we can specify the data will payload contains so we can add userid to identify a user and expiration_date to check if is time to ask for a new one.

Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message was’t changed in the way.

Server side

We should keep our secret key in server side, hence, we can decrypt a valid payload and check which user belongs. In this way we are free to avoid store tokens, because every token store itself enough data to validate our users.

How renew the token?: from client side

The process to generate a renewed token is the same, so the client side should ask for a renew service(HTTP request like www.myhost.com/renew) and send the old token to generate the new one. Remember you can check what user belongs that token hence the renew token should contains the same payload but with different expiration date.

Single sign-on

We can use JWT with more strategies like single sign-on to ensure only one user with same credentials is logged at same time.

like image 96
Ricardo Avatar answered Nov 11 '22 04:11

Ricardo
Sign in to Comment

Related questions

Scipy & Optimize: Minimize example, how to add constraints?
Sum of primes below 2,000,000 in python
How to deal with URL arguments in Django REST Frameworks
Changing the font name without changing the default font python
Python Datareader Stock Exchange markets options
IndexError: index out of range: 7
Algorithmic / coding help for a PySpark markov model
Can pandas groupby transform a DataFrame into a Series?
Rstudio Server equivalent for Python [closed]
Pandas Bug?: Mean of an grouped-by int64 column stays as int64 in some circumstances
Increased occupancy without speedup in FFT
Python - How to access first type of data
how to add dynamic fields at run time in django
pyephem compute elevation angle
Removing sub-folders in Python
Cannot parse Google Play app ratings data
Combined hdf5 files into single dataset
In Django, can I specify database when creating an object?
pandas fill forward performance issue
Can I convert PDF blob to image using Python and Wand?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!