[英]Standard Python Auth0 project does not seem to authenticate
我正在尝试运行此处提供的标准Python Auth0项目,如果您登录了它,则在.env文件中随附有效的预先生成的密钥,并且无论如何我都对其进行了检查,因此问题类似于拒绝解码的Django + Auth0 JWT身份验证,但答案那里没有帮助。
来自示例的server.py:
import jwt
import base64
import os
from functools import wraps
from flask import Flask, request, jsonify, _request_ctx_stack
from werkzeug.local import LocalProxy
from dotenv import Dotenv
from flask.ext.cors import cross_origin
env = None
try:
env = Dotenv('./.env')
client_id = env["AUTH0_CLIENT_ID"]
client_secret = env["AUTH0_CLIENT_SECRET"]
except IOError:
env = os.environ
app = Flask(__name__)
# Format error response and append status code.
def handle_error(error, status_code):
resp = jsonify(error)
resp.status_code = status_code
return resp
def requires_auth(f):
@wraps(f)
def decorated(*args, **kwargs):
auth = request.headers.get('Authorization', None)
if not auth:
return handle_error({'code': 'authorization_header_missing', 'description': 'Authorization header is expected'}, 401)
parts = auth.split()
if parts[0].lower() != 'bearer':
return handle_error({'code': 'invalid_header', 'description': 'Authorization header must start with Bearer'}, 401)
elif len(parts) == 1:
return handle_error({'code': 'invalid_header', 'description': 'Token not found'}, 401)
elif len(parts) > 2:
return handle_error({'code': 'invalid_header', 'description': 'Authorization header must be Bearer + \s + token'}, 401)
token = parts[1]
try:
payload = jwt.decode(
token,
base64.b64decode(client_secret.replace("_","/").replace("-","+")),
audience=client_id
)
except jwt.ExpiredSignature:
return handle_error({'code': 'token_expired', 'description': 'token is expired'}, 401)
except jwt.InvalidAudienceError:
return handle_error({'code': 'invalid_audience', 'description': 'incorrect audience, expected: ' + client_id}, 401)
except jwt.DecodeError:
return handle_error({'code': 'token_invalid_signature', 'description': 'token signature is invalid'}, 401)
except Exception:
return handle_error({'code': 'invalid_header', 'description':'Unable to parse authentication token.'}, 400)
_request_ctx_stack.top.current_user = user = payload
return f(*args, **kwargs)
return decorated
# Controllers API
@app.route("/ping")
@cross_origin(headers=['Content-Type', 'Authorization'])
def ping():
return "All good. You don't need to be authenticated to call this"
@app.route("/secured/ping")
@cross_origin(headers=['Content-Type', 'Authorization'])
@cross_origin(headers=['Access-Control-Allow-Origin', '*'])
@requires_auth
def securedPing():
return "All good. You only get this message if you're authenticated"
if __name__ == "__main__":
app.run(host='0.0.0.0', port = int(os.environ.get('PORT', 3001)))
http:// localhost:3001 / secured / ping给出:
{
"code": "authorization_header_missing",
"description": "Authorization header is expected"
}
标头:
Request URL:http://localhost:3001/secured/ping
Request Method:GET
Status Code:401 UNAUTHORIZED
Remote Address:127.0.0.1:3001
Response Headers
Content-Length:98
Content-Type:application/json
Date:Wed, 15 Jun 2016 13:15:57 GMT
Server:Werkzeug/0.11.4 Python/2.7.6
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-GB,en-US;q=0.8,en;q=0.6
Cache-Control:max-age=0
Connection:keep-alive
Host:localhost:3001
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/50.0.2661.102 Chrome/50.0.2661.102 Safari/537.36
在您的“ 调用您的API ”部分下链接的文档中,请求使用标头“ Authorization
,例如,如果您需要使用curl连接,请使用以下选项:
--header 'Authorization: Bearer YOUR_ID_TOKEN_HERE'
然后,您的python代码会解析此Authorization
标头。
但是,正如您在提供的Request Headers
看到的那样,标头中没有Authorization
字段。
另外,代码示例不会发送任何请求,而是为它们提供服务,因此不必更改代码。
相反,要请求ping的安全版本,您需要使用链接文档中描述的方法之一进行请求。 如果没有javascript,则无法在浏览器中访问受保护的页面。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.