Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT Support #209

Open
yardenfi opened this issue Jul 4, 2018 · 11 comments
Open

JWT Support #209

yardenfi opened this issue Jul 4, 2018 · 11 comments

Comments

@yardenfi
Copy link
Contributor

@yardenfi yardenfi commented Jul 4, 2018

https://github.com/rochacbruno/flasgger/blob/6bdacbafd9aa84f6d6f319a5a84b6fb90cc2b5a6/flasgger/ui3/templates/flasgger/swagger.html#L33
Flasgger is using the value "Bearer" hardcoded in this line. In order to support JWT, I have found I need to change this line to "JWT " manually. I think it should be configurable..

@MaciejKucia
Copy link

@MaciejKucia MaciejKucia commented Aug 1, 2018

It seems that this is quite easy to implement in config just like JWT_AUTH_URL_RULE option.
But the question is if Bearer should be configurable. The following StackOverflow topic suggests that it should not.
https://stackoverflow.com/questions/33265812/best-http-authorization-header-type-for-jwt

The best HTTP header for your client to send an access token (JWT or any other token) is the Authorization header with the Bearer authentication scheme.

@javabrett
Copy link
Collaborator

@javabrett javabrett commented Aug 7, 2018

@yardenfi which client are you working with that expects/requires Authorization: JWT ..., or is this for something new? OAuth Bearer is no good for what you are doing?

@javabrett
Copy link
Collaborator

@javabrett javabrett commented Aug 8, 2018

Other references:

https://swagger.io/docs/specification/authentication/bearer-authentication/

Authorization: Bearer
(when discussing JWT)

https://swagger.io/specification/#securitySchemeScheme -> https://tools.ietf.org/html/rfc7235#section-5.1 -> https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml

... Basic, Bearer, OAuth but no JWT.

I don't believe Authorization: JWT ... is part of a standard, but if it is please add a reference here.

So this could be made configurable, but per @MaciejKucia , should it be made configurable to a way that OpenAPI doesn't support in specs.

@javabrett javabrett self-assigned this Aug 8, 2018
@llk2why
Copy link

@llk2why llk2why commented Aug 24, 2018

I've encountered the same problem. When I change "Bearer" to "JWT" in my Postman request's header, it works. But but the try-out on the site doesn't go well. What should I do?

@yardenfi
Copy link
Contributor Author

@yardenfi yardenfi commented Aug 29, 2018

it's just not working when supplied with Bearer instead of jwt with flask_jwt..

@noelTron
Copy link

@noelTron noelTron commented Dec 5, 2018

Just adding that this would be a nice feature, currently working with our code base that uses JWT prefix had to add a middleware rule to convert SwaggerUI token from Bearer to JWT would be nice to not have to. :)

@javabrett
Copy link
Collaborator

@javabrett javabrett commented Dec 5, 2018

@noelTron can you reference documentation or discussion or better still a standard or RFC describing the use of JWT prefix?

@noelTron
Copy link

@noelTron noelTron commented Dec 5, 2018

@javabrett there are a few JWT libraries that default to the JWT prefix:

flask_jwt:
https://pythonhosted.org/Flask-JWT/

REST framework JWT Auth:
http://getblimp.github.io/django-rest-framework-jwt/

I just thought it would be great to set the prefix in flasgger so it works with the default settings in those libraries. We love flasgger but can't change the prefix on our servers as we will break client apps requests that we aren't responsible for.

@javabrett
Copy link
Collaborator

@javabrett javabrett commented Dec 5, 2018

Just noting that:

  • https://github.com/mattupstate/flask-jwt is largely abandoned.
  • In the other project there is this issue essentially asking for the reverse, so they can use the (standard) Bearer scheme, and a fair bit of surrounding discussion around making things outh2 compatible there.
@noelTron
Copy link

@noelTron noelTron commented Dec 5, 2018

@javabrett That's fair I did see that too and this is mainly for supporting legacy code, if I made a PR to configure the prefix if I find time would you be willing to accept it?

@javabrett
Copy link
Collaborator

@javabrett javabrett commented Dec 5, 2018

I don't see anything especially offensive about making the token "Bearer " configurable, defaulting to the current literal. @rochacbruno ?

I'd be more likely to support PRs that don't mention the token JWT anywhere - if this isn't an IANA registered auth type, I'd be reluctant to encourage its use on the back of a couple of older libraries using it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.