Securing Flask APIs using JWT

About Me

Md. Shahbaz Alam

Full Stack Developer

Auth0 Ambassador

Mozilla Reps Mentor

GDG Ranchi Organizer

@mdsbzalam

Agenda

1. JSON Web Tokens ( JWT )

2. Python Frameworks

3. Flask

4. Demo

JWT

What is JSON Web Tokens?

Based on Web Standard ( RFC 7519 )
securely communicate JSON Objects
A way to encode information
Allow shared parties to verify information is legit
Secret-based Verification
When secret changes then information is no more legit
Consists of a header, payload and signature
Self-contained

JWT

JSON Web Token

JWT

The JWT Header

The header is a JSON Object usually consisting of the type( typ ) , which is JWT, and the algorithm used for encrypting the JWT (alg ):

{
  "alg": "HS256",
  "typ": "JWT"
}

JWT

The JWT Payload

The Payload is a JSON object that consists of user defined attributes ( called public claims ) . Some attributes are defined in the standard ( these are called reserved claims ).

{
    // reserved claim
    "iss": "https://myapi.com", 
    // public claim
    "user": "mdsbzalam" 
}

JWT

The JWT Signature

The Signature is the encoded header and payload, signed with a secret.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

This accomplishes several tasks at once, including:

Proves the identity of the sender
Ensures the message has not changed

JWT

The JWT Token

A finished token looks like [encoded header].[encoded payload].[signature] :

JWT

The JWT Token

JWT

Advantages:

Easy to parse

Easy to Sign

Compact

compared to XML

compared to ...

You get it.

JWT

Implementing JWT in Python

$ pip install jwt
$ python 
>>> import jwt

>>> jwt.encode({'jwt':'JSON Web Token'},'secret')

JWT

decoding JWT in Python

$
......

>>> token = jwt.encode({'py':'Python'},'secret')

>>> jwt.decode(token , 'secret')

{'py':'Python'}

Python Frameworks

Why Python?

Fastest growing programming language
Huge Community base is improving every aspect of the language
More & more open source libraries are being released to address AI, ML, and Web Development.
https://docs.python.org/3/ for new adopters to learn its essence fast

Python Frameworks

Full-stack frameworks:

Python Frameworks

Microframeworks:

Python Frameworks

Asynchronous frameworks:

other:

Flask App

Dependencies:

Python 2 or 3
Flask
jsonify
request
make_response
jwt
datetime
wraps

Flask App

Basic Flask App

from flask import Flask

app = Flask(__name__)

if __name__ == "__main__":
    app.run(debug=True)

Flask App

Lets modify few things..

from flask import Flask
from flask import jsonify
from flask import request
from flask import make_response

...
...

Flask App

Now add Authentication to it

...
@app.route('/login')
def login():
    auth = request.authorization

    if auth and auth.password == 'pyconid':
	return jsonify({'message' : 'logged in})

    return make_response('Could not verify!', 401,
           {'WWW-Authenticate' : 
             'Basic realm:"Login Required"'})
...

Flask App

Lets add two more Routes

...
@app.route('/unprotected')
def unprotected():
    return jsonify({'message' : 
           'Anyone can view this.'})

@app.route('/protected')
def protected():
    return jsonify({'message' : 
    'Only available to people 
               with valid tokens.'})
...

Flask App

It's time to import JWT

...
import jwt
import datetime

...
...

Flask App

Modifying Login method to set token

...
app.config['SECRET_KEY'] = 'indonesia'
...
if auth and auth.password == 'pyconid':
    token = jwt.encode({'user': auth.username,
            'exp': datetime.datetime.utcnow() 
            + datetime.timedelta(seconds=50)},
            app.config['SECRET_KEY'])
    return jsonify({'message' : 'logged in})
...
...

Flask App

Creating decorator for protected route

...
def token_required(f):
  @wraps(f)
  def decorated(*args, **kwargs):
    token = request.args.get('token')
    # http://127.0.0.1:5000/protected?token=sqibsq12egvdyw
    if not token:
      return jsonify({'message' : 'Token is missing'}), 403
      try:
        data = jwt.decode(token, app.config['SECRET_KEY'])
      except:
        return jsonify({'message' : 'Token is invalid!'}), 403
    return f(*args, **kwargs)
  return decorated
...

Flask App

Adding decorator to protected route

...

@app.route('/protected')

def protected():
    return jsonify({'message' : 
    'Only available to people 
               with valid tokens.'})
...

Flask App

Adding decorator to protected route

...

@app.route('/protected')
@token_required
def protected():
    return jsonify({'message' : 
    'Only available to people 
               with valid tokens.'})
...

Flask App : complete

from flask import Flask, jsonify, request, make_response
import jwt
import datetime
from functools import wraps

app = Flask(__name__)

app.config['SECRET_KEY'] = 'indonesia'

# Token Decorator
def token_required(f):
	@wraps(f)
	def decorated(*args, **kwargs):
		token = request.args.get('token')

		if not token:
			return jsonify({'message' : 'Token is missing'}), 403

		try:
			data = jwt.decode(token, app.config['SECRET_KEY'])
		except:
			return jsonify({'message' : 'Token is invalid!'}), 403

		return f(*args, **kwargs)

	return decorated

# Unprotected Route and function
@app.route('/unprotected')
def unprotected():
	return jsonify({'message' : 'Anyone can view this.'})

# Protected Route and function
@app.route('/protected')
@token_required
def protected():
	return jsonify({'message' : 'Only available to people with valid tokens.'})

# Login Route and function
@app.route('/login')
def login():
	auth = request.authorization

	if auth and auth.password == 'pyconid':
		token = jwt.encode({'user': auth.username, 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=40)}, app.config['SECRET_KEY'])
		return jsonify({'token' : token})

	return make_response('Could not verify!', 401, {'WWW-Authenticate' : 'Basic realm:"Login Required"'})

if __name__ == "__main__":
    app.run(debug=True)

Flask App

Try it yourself

[~]$ python flaskdemo.py

Flask App

Auth0 way

https://auth0.com/docs/quickstart/backend/python

Resources

General JWT Resources

jwt.io

Overview of JWT Signing Algorithms

http://bit.ly/jwt-alg

JWT Handbook

http://bit.ly/jwt-book

Connect with me

Facebook

facebook.com/mdsbzalam

Twitter

@mdsbzalam

Instagram

@mdsbzalam

https://in.linkedin.com/in/mdsbzalam

E-mail

mdsbzalam@gmail.com

Slide

http://bit.ly/pyconid-slide

Thank you

@mdsbzalam

Securing Flask APIs using JWT

By Mohammad Shahbaz Alam

Securing Flask APIs using JWT

Securing Django and Flask APIs using JWT

Mohammad Shahbaz Alam

Full Stack Developer, Developer Advocate @ Magic Labs, GDG-Ranchi Organizer, and Mozilla Representative. Loves speaking on Serverless, Authentication & Authorization, Security, Web Extensions and VR at meet-ups and conferences.

Securing Flask APIs using JWT

About Me

Md. Shahbaz Alam

Agenda

JWT

What is JSON Web Tokens?

JWT

JSON Web Token

JWT

The JWT Header

JWT

The JWT Payload

JWT

The JWT Signature

JWT

The JWT Token

JWT

The JWT Token

JWT

Advantages:

JWT

Implementing JWT in Python

JWT

decoding JWT in Python

Python Frameworks

Why Python?

Python Frameworks

Full-stack frameworks:

Python Frameworks

Microframeworks:

Python Frameworks

Asynchronous frameworks:

other:

Flask App

Dependencies:

Flask App

Basic Flask App

Flask App

Lets modify few things..

Flask App

Now add Authentication to it

Flask App

Lets add two more Routes

Flask App

It's time to import JWT

Flask App

Modifying Login method to set token

Flask App

Creating decorator for protected route

Flask App

Adding decorator to protected route

Flask App

Adding decorator to protected route

Flask App : complete

Flask App

Try it yourself

Flask App

Auth0 way

Resources

Connect with me

Slide

Thank you

Securing Flask APIs using JWT

More from Mohammad Shahbaz Alam