2

I'm looking to propagate a JWT token between my services running in docker using the library flask-jwt-extended and I have an idea of how I would do this using something similar to this:

request.post(url, json={"access_token": access_token, "refresh_token": refresh_token)

But in my experience I need to return a response to do this.

I already have the frontend creating tokens and protecting my routes. I just want to use that token to do the same for the backend.

I want to be able to login from my frontend application and when I login that propagates the token throughout the other services. How do I approach this?

I will send the post request to a function that will look something similar to this:

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == "POST":
        resp = jsonify({'login': True})
        set_access_cookies(resp, request.json["access_token"])
        set_refresh_cookies(resp, request.json["refresh_token"])
        return resp, 200

Do I need to return that response?

jor2
  • 460
  • 2
  • 5
  • 21
  • Is the frontend is "creating" the token or just "requesting" the token from the backend? – Steve Boyd Feb 11 '19 at 22:32
  • @SteveBoyd at the moment everything JWT related is in the frontend service. I basically have two Flask apps, one frontend, one backend. I want to be able to store the token in the backend app too once I create/generate the token from the frontend. – jor2 Feb 11 '19 at 22:38
  • Storing tokens in your service sounds like a misuse of the token. The backend service should receive the token on each call and check that the signature is valid and verify that it was signed by a trusted key by checking that the public key is the expected key from the frontend service. There should be no need to "store" the token on the backend service. – Steve Boyd Feb 11 '19 at 22:41
  • @SteveBoyd is there any examples of this that you know of? – jor2 Feb 11 '19 at 23:09

1 Answers1

2

Token sharing should be accomplished via signature trust. Make sure that your other services "know" the public key of the trusted signer.

Here's the basics:

  1. Frontend requests token from backend via authorization api

  2. Backend validates credentials, issues token using 'RSXXX' algorithm, eg. 'RS512'

  3. Frontend passes token to all calls to any of your backend services.

  4. When backend receives a token it verifies signature and "source" using the public key identity of the token before applying token payload to the requested operation.

All backend services and the frontend should have a configuration element which defines one or more trusted public keys used for token signing.

This article has some helpful information on using a public/private key pair with pyjwt: https://blog.miguelgrinberg.com/post/json-web-tokens-with-public-key-signatures

Steve Boyd
  • 1,287
  • 11
  • 17
  • Thanks for taking the time to answer, made me rethink my approach. I decided to implement auth0 instead using https://auth0.com/docs/quickstart/backend/python/01-authorization. I just needed to add a little bit of extra config on top of what they had but I got the result I wanted. – jor2 Feb 12 '19 at 03:12