0

I have a Flask app running in AWS using Flask-JWT-Extended. It is serving REST API calls to a web app.

As I understand from the documentation, the tokens are generated and stored in memory. I am considering storing them external to the Flask app in either a database or Redis. The reason for this is to support load balancing:

  • I presume that sticky-sessions would be required to make sure that the client's token can be properly decoded and analyzed for validity
  • I am considering putting the app in AWS Lambda, which would probably wipe out the JWT list once the request was served.

My questions are:

  • Is there any reason this scheme would not generally work?
  • If the tokens are stored outside the Flask app, it is not clear how to override the local token storage and access an external storage medium. Can this be done?
Paul Waldo
  • 1,131
  • 10
  • 26

1 Answers1

1

The tokens are not stored in memory. JWT works by creating tokens that can be verified to have not been tampered with without having to keep any state on the server (just make sure to keep the JWT_SECRET_KEY really and truly secret). Here is an article about stateless authentication you might want to read up on: https://blog.imaginea.com/stateless-authentication-using-jwt-2/

vimalloc
  • 3,869
  • 4
  • 32
  • 45
  • Bingo! get_raw_jwt() returns "{'iat': 1580762392, 'nbf': 1580762392, 'jti': 'c1a7447d-2617-4cf3-b936-ca6e1fd24862', 'exp': 1580763292, 'identity': 'paul', 'fresh': True, 'type': 'access', 'user_claims': {}}" and shows that the expiration time (exp) is inside the token. flask_jwt_extended.verify_jwt_in_request() can then be used to verify a valid token. – Paul Waldo Feb 03 '20 at 20:58