diff --git a/docs/index.rst b/docs/index.rst index 84f3c9b..a2dc197 100755 --- a/docs/index.rst +++ b/docs/index.rst @@ -162,12 +162,17 @@ The ``HTTPTokenAuth`` is a generic authentication handler that can be used with The ``verify_token`` callback receives the authentication credentials provided by the client on the ``Authorization`` header. This can be a simple token, or can contain multiple arguments, which the function will have to parse and extract from the string. -In the examples directory you can find a complete example that uses JWT tokens. +In the examples directory you can find a complete example that uses +JWS tokens. JWS tokens are similar to JWT tokens. However using JWT +tokens would require an external dependency to handle JWT. Using Multiple Authentication Schemes ------------------------------------- -Applications sometimes need to support a combination of authentication methods. For example, a web application could be authenticated by sending client id and secret over basic authentication, while third party API clients use a JWT bearer token. The `MultiAuth` class allows you to protect a route with more than one authentication object. To grant access to the endpoint, one of the authentication methods must validate. +Applications sometimes need to support a combination of authentication +methods. For example, a web application could be authenticated by +sending client id and secret over basic authentication, while third +party API clients use a JWS or JWT bearer token. The `MultiAuth` class allows you to protect a route with more than one authentication object. To grant access to the endpoint, one of the authentication methods must validate. In the examples directory you can find a complete example that uses basic and token authentication. diff --git a/examples/multi_auth.py b/examples/multi_auth.py index dbb1801..0d79e47 100644 --- a/examples/multi_auth.py +++ b/examples/multi_auth.py @@ -5,17 +5,17 @@ "MultiAuth" class. The root URL for this application can be accessed via basic auth, providing -username and password, or via token auth, providing a bearer JWT token. +username and password, or via token auth, providing a bearer JWS token. """ from flask import Flask, g from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth, MultiAuth from werkzeug.security import generate_password_hash, check_password_hash -from itsdangerous import TimedJSONWebSignatureSerializer as JWT +from itsdangerous import TimedJSONWebSignatureSerializer as JWS app = Flask(__name__) app.config['SECRET_KEY'] = 'top secret!' -jwt = JWT(app.config['SECRET_KEY'], expires_in=3600) +jws = JWS(app.config['SECRET_KEY'], expires_in=3600) basic_auth = HTTPBasicAuth() token_auth = HTTPTokenAuth('Bearer') @@ -28,7 +28,7 @@ } for user in users.keys(): - token = jwt.dumps({'username': user}) + token = jws.dumps({'username': user}) print('*** token for {}: {}\n'.format(user, token)) @@ -46,7 +46,7 @@ def verify_password(username, password): def verify_token(token): g.user = None try: - data = jwt.loads(token) + data = jws.loads(token) except: # noqa: E722 return False if 'username' in data: diff --git a/examples/token_auth.py b/examples/token_auth.py index e352860..9b18678 100644 --- a/examples/token_auth.py +++ b/examples/token_auth.py @@ -8,7 +8,7 @@ To gain access, you can use a command line HTTP client such as curl, passing one of the tokens: - curl -X GET -H "Authorization: Bearer " http://localhost:5000/ + curl -X GET -H "Authorization: Bearer " http://localhost:5000/ The response should include the username, which is obtained from the token. """