Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow other authorization type to pass #82

Closed
philloooo opened this issue Aug 31, 2017 · 5 comments
Closed

allow other authorization type to pass #82

philloooo opened this issue Aug 31, 2017 · 5 comments

Comments

@philloooo
Copy link

if a flask app supports multiple authorization mechanisms, eg: JWT and hmacv4, how should I use this library?
From what I see in the decorator, it raises execption as long as it finds the authorization type doesn't match what's configured.
Can you support another setting flag to allow alternative authorization type, so that the jwt_optional just silently do nothing if the type is not bearer?
@vimalloc
Copy link
Owner

Can you support another setting flag to allow alternative authorization type, so that the jwt_optional just silently do nothing if the type is not bearer?

If you just want to change the header name that sends in the JWT, you can do that with the JWT_HEADER_NAME and JWT_HEADER_TYPE options (http://flask-jwt-extended.readthedocs.io/en/latest/options.html#header-options). By default JWT_HEADER_TYPE is Authorization, and JWT_HEADER_TYPE is Bearer.

If you're saying you want it to not error out when using @jwt_optional if we get an authorization header that doesn't match the type this extension is expecting, I could look into adding a new flag to control that. However, there might be a simpler way to work around this. Do you control whatever frontend is sending the JWTs to your application? If there is a conflict between two sources that want to send in data from an authorization header, you could always change the JWT_HEADER_NAME for this extension and send it in via a header name different then Authorization. There is no technical reason why that header has to be used, it is just a convention.

If that doesn't work for you, let me know, and I'll look closer at this and see if something could be done without too much trouble on this extension.

Cheers.

@philloooo
Copy link
Author

Thanks for the quick response!
I agree that there is technically no reason to not use a different header name, but I would like to adhere to the best practices.
Afaik the header_type was suggested to be in the Authorization header so that we can distinguish different algorithms, and that makes services that support multiple auth mechanisms work. So it would be great if a new flag can be added to control that.

@vimalloc
Copy link
Owner

Fair enough. I'll poke at it this weekend and come up with something.

Cheers.

@philloooo
Copy link
Author

thanks!!

vimalloc added a commit that referenced this issue Sep 6, 2017
@vimalloc
have jwt_optional catch and ignore InvalidHeaderError
dc0d5d0 
This fixes the case of a different authorization header (for example,
into another authorization system) causing jwt_optional to return the
invalid header error handler. This is technically a breaking change, but
I would argue that this is more of a bug fix and that no one is (or
should be) relying on jwt_optional to send back an InvalidHeaderError if
they send in a different header then this extension expects. Refs #82
@vimalloc
Copy link
Owner

vimalloc commented Sep 6, 2017

Got this released in version 3.3.1.

Instead of another flag, I just set it up to always ignore InvalidHeaderError in @jwt_optional. This sounded like the more sane thing to do, I can't imagine any is actively relying on getting that error back if they are sending in differently formatted authorization headers to a @jwt_optional endpoint. Let me know if you run into any issues with this.

Cheers.

@vimalloc vimalloc closed this as completed Sep 6, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vimalloc @philloooo