I want to know how flask-jwt-extended works with autoscaling environment and is there any way to store token in centralized server (redis) and access over all autoscaling instances.
Asked
Active
Viewed 2,358 times
1 Answers
1
The only time tokens are stored is if you are blacklisting them. Otherwise JWTs don’t require any state on the backend. If you do want to use redis in conjunction with blacklisting, how you setup the redis instance for you flask applications is entirely up to you. Flask-jwt-extended does not handle that for you.
https://flask-jwt-extended.readthedocs.io/en/latest/blocklist_and_token_revoking/
-
1this is IMHO not true in an auto scaling environment without using an api gateway as a single point of entry. Consider your application to be scaled out to 4 workers across a docker swarm cluster... either sticky sessions (on the loadbalancer) or replicating the tokens are needed. – sp33c Jul 02 '20 at 21:54
-
2@sp33c That is entirely incorrect. In that situation, the only thing that is needed for a token to work on any of the 4 workers is that all the works share the same secret key. This is why JWTs are part of the stateless authentication classification. https://blog.imaginea.com/stateless-authentication-using-jwt-2/ – vimalloc Jul 02 '20 at 22:04
-
I got it. Thank you for correction. Of course. Math.. – sp33c Jul 03 '20 at 14:14
-
I just checked. The secret key has to be changed if redis does not persist the data. Otherwise old tokens can be reused on old tokens. – sp33c Jul 03 '20 at 16:07
-
@vimalloc are you saying that each worker then is requesting a token for itself each time? That still seems unnecessary and session storage to use refresh tokens seems better. – Zaffer Dec 09 '22 at 16:30