stackoom
  简体   繁体   中英

How to return a bearer JWT token FROM Flask?

 原文  2021-06-06 17:57:57       python/ api/ flask/ jwt/ response

Question

How to form a response from Flask python server which would contain the bearer token in the response. More precisely, I am looking to somehow securely propagate the JWT token from Flask python server back to the client (angular page). I can just return it in form of the querystring in GET redirect. What are other possibilities in terms of returning the JWT access token back to the client? I tried setting the response form python, and to set the jwt token in Authorization field, but nothing worked. This is what I tried:

1. 

 r = Response(headers={
                 "Authorization": "bearer jwtcntent",
                 "Access-Control-Allow-Origin": "*",
              },
              is_redirect=True,
              url="https://localhost:5000/callback",
 )
 return r

r = redirect("http://localhost:5000/callback")
r.headers = {"authorization": "bearer jwtcntent"}
return r

r = Response(headers={
                 "Authorization": "Bearer jwtcntent",
                 "Access-Control-Allow-Origin": "*",
             },
             allow_redirects=True,
             url="https://localhost:5000/callback",                       
)
return r

Any recommendations?

2 answers

solution1
 1 ACCPTED  2021-06-06 19:24:10

You can store it in an httponly cookie, but you need to make sure to handle CSRF attacks if you do so. Flask-JWT-Extended has built in support for this which you might find useful, either as a solution or as a reference for whatever you end up doing:

https://flask-jwt-extended.readthedocs.io/en/stable/token_locations/#cookies

You can also just send the token back as part of the JSON body and then storing it in local/session storage, which is probably the most common pattern.

solution2
 1  2021-06-07 08:14:38

Are you able to implement a regular OAuth flow in your Authorization Server? OAuth flows are standardized and use secure ways of returning an access token to the client.

I don't recommend using the Authorization header for returning responses. This header is a request header, it has no meaning in a response. If you really need to do it through the header you can add Access-Control-Expose-Headers header to let your client read the Authorization header from a response.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how get jwt token from IAP in Flask? Flask return JWT token when redirecting How to POST the refresh token to Flask JWT Extended? return bearer token with requests flask-jwt How handle a token? Azure AD bearer token from React to Flask API Flask Rest API - How to use Bearer API token in python requests How get bearer token with requests from python How to send JWT token to header of redirect URL in Flask? How to set the 'iss' claim of JWT using Flask-JWT-Extended's create_access_token()
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM