标准Python Auth0项目似乎无法认证

Question

我正在尝试运行此处提供的标准Python Auth0项目，如果您登录了它，则在.env文件中随附有效的预先生成的密钥，并且无论如何我都对其进行了检查，因此问题类似于拒绝解码的Django + Auth0 JWT身份验证，但答案那里没有帮助。

来自示例的server.py：

import jwt
import base64
import os

from functools import wraps
from flask import Flask, request, jsonify, _request_ctx_stack
from werkzeug.local import LocalProxy
from dotenv import Dotenv
from flask.ext.cors import cross_origin

env = None

try:
    env = Dotenv('./.env')
    client_id = env["AUTH0_CLIENT_ID"]
    client_secret = env["AUTH0_CLIENT_SECRET"]
except IOError:
  env = os.environ

app = Flask(__name__)

# Format error response and append status code.
def handle_error(error, status_code):
  resp = jsonify(error)
  resp.status_code = status_code
  return resp

def requires_auth(f):
  @wraps(f)
  def decorated(*args, **kwargs):
    auth = request.headers.get('Authorization', None)
    if not auth:
      return handle_error({'code': 'authorization_header_missing', 'description': 'Authorization header is expected'}, 401)

    parts = auth.split()

    if parts[0].lower() != 'bearer':
      return handle_error({'code': 'invalid_header', 'description': 'Authorization header must start with Bearer'}, 401)
    elif len(parts) == 1:
      return handle_error({'code': 'invalid_header', 'description': 'Token not found'}, 401)
    elif len(parts) > 2:
      return handle_error({'code': 'invalid_header', 'description': 'Authorization header must be Bearer + \s + token'}, 401)

    token = parts[1]
    try:
    payload = jwt.decode(
        token,
        base64.b64decode(client_secret.replace("_","/").replace("-","+")),
        audience=client_id
    )
    except jwt.ExpiredSignature:
    return handle_error({'code': 'token_expired', 'description': 'token is expired'}, 401)
    except jwt.InvalidAudienceError:
    return handle_error({'code': 'invalid_audience', 'description': 'incorrect audience, expected: ' + client_id}, 401)
    except jwt.DecodeError:
    return handle_error({'code': 'token_invalid_signature', 'description': 'token signature is invalid'}, 401)
    except Exception:
    return handle_error({'code': 'invalid_header', 'description':'Unable to parse authentication token.'}, 400)

    _request_ctx_stack.top.current_user = user = payload
    return f(*args, **kwargs)

  return decorated

# Controllers API
@app.route("/ping")
@cross_origin(headers=['Content-Type', 'Authorization'])
def ping():
    return "All good. You don't need to be authenticated to call this"

@app.route("/secured/ping")
@cross_origin(headers=['Content-Type', 'Authorization'])
@cross_origin(headers=['Access-Control-Allow-Origin', '*'])
@requires_auth
def securedPing():
    return "All good. You only get this message if you're authenticated"

if __name__ == "__main__":
    app.run(host='0.0.0.0', port = int(os.environ.get('PORT', 3001)))

http：// localhost：3001 / secured / ping给出：

{
  "code": "authorization_header_missing", 
  "description": "Authorization header is expected"
}

标头：

Request URL:http://localhost:3001/secured/ping
Request Method:GET
Status Code:401 UNAUTHORIZED
Remote Address:127.0.0.1:3001

Response Headers
Content-Length:98
Content-Type:application/json
Date:Wed, 15 Jun 2016 13:15:57 GMT
Server:Werkzeug/0.11.4 Python/2.7.6

Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-GB,en-US;q=0.8,en;q=0.6
Cache-Control:max-age=0
Connection:keep-alive
Host:localhost:3001
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/50.0.2661.102 Chrome/50.0.2661.102 Safari/537.36

Answer 1

在您的“ 调用您的API ”部分下链接的文档中，请求使用标头“ Authorization ，例如，如果您需要使用curl连接，请使用以下选项：

--header 'Authorization: Bearer YOUR_ID_TOKEN_HERE'

然后，您的python代码会解析此Authorization标头。

但是，正如您在提供的Request Headers看到的那样，标头中没有Authorization字段。

另外，代码示例不会发送任何请求，而是为它们提供服务，因此不必更改代码。

相反，要请求ping的安全版本，您需要使用链接文档中描述的方法之一进行请求。 如果没有javascript，则无法在浏览器中访问受保护的页面。