Token auth and JWT term usage vs. JWS

[unuseless]

In e.g. token_auth.py (and several other places) the term JWT is used for the tokens generated. These tokens are generated with the itsdangerous TimedJSONWebSignatureSerializer.
The thing is, these are not JWT tokens, but JSON Web Signatures (JWS, see https://pythonhosted.org/itsdangerous/ ).

Remedy: Don't use the term JWT for these tokens.

[miguelgrinberg]

Yes, you are absolutely right, I'll rename it.

[comatrion]

References remain e.g.

Flask-HTTPAuth/examples/multi_auth.py

Line 13 in bd6fcf3

from itsdangerous import TimedJSONWebSignatureSerializer as JWT

Flask-HTTPAuth/examples/token_auth.py

Line 11 in bd6fcf3

curl -X GET -H "Authorization: Bearer <jwt-token>" http://localhost:5000/

Flask-HTTPAuth/docs/index.rst

Line 165 in bd6fcf3

In the examples directory you can find a complete example that uses JWT tokens.

Flask-HTTPAuth/docs/index.rst

Line 170 in bd6fcf3

Applications sometimes need to support a combination of authentication methods. For example, a web application could be authenticated by sending client id and secret over basic authentication, while third party API clients use a JWT bearer token. The `MultiAuth` class allows you to protect a route with more than one authentication object. To grant access to the endpoint, one of the authentication methods must validate.

[alensiljak]

Does that mean that, if we were to use

def generate_token(self, user_id):
        """
        Generates the Auth Token
        :return: string
        """
        try:
            # set up a payload with an expiration time
            payload = {
                'exp': datetime.utcnow() + timedelta(minutes=5),
                'iat': datetime.utcnow(),
                'sub': user_id
            }
            # create the byte string token using the payload and the SECRET key
            secret = current_app.config.get('SECRET_KEY')
            jwt_string = jwt.encode(
                payload,
                secret,
                algorithm='HS256'
            )
            return jwt_string

        except Exception as e:
            # return an error in string format if an exception occurs
            return str(e)

    @staticmethod
    def decode_token(token):
        """
        Validates the auth token.
        Decodes the access token from the Authorization header.
        :param auth_token:
        :return: integer|string
        """
        try:
            # try to decode the token using our SECRET variable
            secret = current_app.config.get('SECRET_KEY')
            # is_blacklisted_token = BlacklistToken.check_blacklist(auth_token)
            payload = jwt.decode(token, secret)
            return payload['sub']
        except jwt.ExpiredSignatureError:
            # the token is expired, return an error string
            return "Expired token. Please login to get a new token"
        except jwt.InvalidTokenError:
            # the token is invalid, return an error string
            return "Invalid token. Please register or login"

instead of the JWS Serializer, the reference to JWT would be correct? Is this all that is necessary to correctly utilize JWT tokens?

[unuseless]

@mistery If I correctly understand your code, you utilize pyjwt (though no import statement in your code). If you use pyjwt it's easy to use JWT tokens.
@miguelgrinberg 's code just uses itsdangerous, so no extra external dependency needed.
In terms of token usage, when you pass such a token back and forth in your app, it should not matter if you use JWS or JWT.

[alensiljak]

@unuseless, that's correct. There's import jwt statement at the top (ref: here).
Thanks for the clarifications.
I was mostly concerned about using some standard way of handling tokens as the clients will, most likely, be JavaScript from a Progressive Web Applications or perhaps other mobile apps. I have not made a final decision. Too many options available but none of them fits my goals of being cross-platform and easy to maintain.

[miguelgrinberg]

Addressed by #79. Closing.