Decoding jwt is missing "jti"

[rlam3]

I'm get the following error when using the provided token back to the refresh link.
The refresh_token wasn't used in the process?

Header:
Authorization: Bearer

{
  "msg": "Missing or invalid claim: jti"
}

[vimalloc]

It seems to work for me. Did you make any changes which would cause flask reloader to kick in after generating your access/refresh tokens? In that example app, the blacklist is enabled, but we are storing the token data in memory, so if the flask app restarts, your token is still valid, but it cannot find it in the blacklist store (this is why redis/memcached/sqlalchemy should be used in prod).

curl -H "Content-Type: application/json" -X POST -d '{"username":"test1","password":"abc123"}' http://localhost:5000/auth/login
{                     
  "access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NzQzMTA0MjksImZyZXNoIjp0cnVlLCJpYXQiOjE0NzQzMDY4MjksImp0aSI6IjNiNzgzOGI4LTg3MWEtNGRiMi1iOWI1LTkyOTVhZTJlZTAwMiIsImlkZW50aXR5IjoidGVzdDEiLCJ0eXBlIjoiYWNjZXNzIiwidXNlcl9jbGFpbXMiOnsidHlwZSI6InRlY2huaWNpYW4iLCJpcCI6IjEyNy4wLjAuMSJ9LCJuYmYiOjE0NzQzMDY4Mjl9.KKyMvgei_1d60q6Dw_r-fT0co004M5PxrZuhmbfre5VQKjqghnMvf7kTECyHQQHh8uV7O5AURo1ImJWmHS1oqw", 
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NzQ5MTE2MjksImlhdCI6MTQ3NDMwNjgyOSwianRpIjoiZTJjM2Q4ODAtMDIxYy00NDE5LTg4OWItNGM1ZjY2ODljMjU2IiwiaWRlbnRpdHkiOiJ0ZXN0MSIsInR5cGUiOiJyZWZyZXNoIiwibmJmIjoxNDc0MzA2ODI5fQ.5KWz0IR28Z__bVnQZ6WhD1BQoSBYUPDaSfgsvky3eURZDkLqbdRRaTMUOer5p2LIRb-2bI7NSXzvn7R83WkZPw"
}

export ACCESS="eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NzQzMTA0MjksImZyZXNoIjp0cnVlLCJpYXQiOjE0NzQzMDY4MjksImp0aSI6IjNiNzgzOGI4LTg3MWEtNGRiMi1iOWI1LTkyOTVhZTJlZTAwMiIsImlkZW50aXR5IjoidGVzdDEiLCJ0eXBlIjoiYWNjZXNzIiwidXNlcl9jbGFpbXMiOnsidHlwZSI6InRlY2huaWNpYW4iLCJpcCI6IjEyNy4wLjAuMSJ9LCJuYmYiOjE0NzQzMDY4Mjl9.KKyMvgei_1d60q6Dw_r-fT0co004M5PxrZuhmbfre5VQKjqghnMvf7kTECyHQQHh8uV7O5AURo1ImJWmHS1oqw" 
export REFRESH="eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NzQ5MTE2MjksImlhdCI6MTQ3NDMwNjgyOSwianRpIjoiZTJjM2Q4ODAtMDIxYy00NDE5LTg4OWItNGM1ZjY2ODljMjU2IiwiaWRlbnRpdHkiOiJ0ZXN0MSIsInR5cGUiOiJyZWZyZXNoIiwibmJmIjoxNDc0MzA2ODI5fQ.5KWz0IR28Z__bVnQZ6WhD1BQoSBYUPDaSfgsvky3eURZDkLqbdRRaTMUOer5p2LIRb-2bI7NSXzvn7R83WkZPw"

curl -H "Authorization: Bearer $REFRESH" -X POST http://localhost:5000/auth/refresh 
{                                                                                    
  "access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NzQzMTA0NTcsImZyZXNoIjpmYWxzZSwiaWF0IjoxNDc0MzA2ODU3LCJqdGkiOiIzMjZiYjkwOC02NmFjLTRiYTUtODJlZC04Y2RiNzNmMjZkZmIiLCJpZGVudGl0eSI6InRlc3QxIiwidHlwZSI6ImFjY2VzcyIsInVzZXJfY2xhaW1zIjp7InR5cGUiOiJ0ZWNobmljaWFuIiwiaXAiOiIxMjcuMC4wLjEifSwibmJmIjoxNDc0MzA2ODU3fQ.8jglk7h_9JEWmengK1WYJ7L1d5XbGla1e9K4kSkUHpRnW7HCLUwuka_TiKyRYtUmQbLYbAWK_sbGwF-n9iaSiQ"
}

[vimalloc]

Oh, you mean if no token was supplied to the call. Yeah, that is the default handler for that error case. You can change it with the invalid_token_loader decorator. See this file https://github.com/vimalloc/flask-jwt-extended/blob/master/flask_jwt_extended/jwt_manager.py

[vimalloc]

That said, I think that can be done better. I'll look at it more today.

[vimalloc]

Actually, now that I'm actually sitting down and looking at it, I am unable to duplicate it. Can you verify it wasn't a flask refresh thing?

[rlam3]

I'm using PAW and terminal and still able to reproduce it. I'm not sure what flask refresh thing you are referring to.

MYUSERNAME$ curl -H "Content-Type: application/json" -X POST -d '{"username":"test1","password":"abc123"}' http://localhost:5001/auth/login
{
  "access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2NsYWltcyI6eyJpcCI6IjEyNy4wLjAuMSIsInR5cGUiOiJyZXN0cmljdGVkIn0sImp0aSI6IjAyOTNmYWE2LTRjMjYtNGJhMS1hNmRjLWUzMDYzNDExNzg2YiIsImV4cCI6MTQ3NDMxOTA0MiwiZnJlc2giOnRydWUsImlhdCI6MTQ3NDMxNTQ0MiwidHlwZSI6ImFjY2VzcyIsIm5iZiI6MTQ3NDMxNTQ0MiwiaWRlbnRpdHkiOiJ0ZXN0MSJ9.LbIzIr9DA4XeRoinDOzp9tmM4R8yHR6ZgLwe3_wqZGueJD5fwoYZO4bTu-MqR0wysU2gW43ULrowYlKBMy0_GA", 
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI2ODhlMzVlYS1iZGFkLTQ0MzYtODQzMi1jMmQ2MjUzMTQzNzEiLCJleHAiOjE0NzQ5MjAyNDIsImlhdCI6MTQ3NDMxNTQ0MiwidHlwZSI6InJlZnJlc2giLCJuYmYiOjE0NzQzMTU0NDIsImlkZW50aXR5IjoidGVzdDEifQ.wDSO6snzoDDKLwlpAktT2Ylh6EHzN0FRNMOkLPjGiDOStSCXkjuIS5wedA3y0KMqzSpv9OvbncyoKLb3cip7uQ"
}
MYUSERNAME$ export ACCESS="eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2NsYWltcyI6eyJpcCI6IjEyNy4wLjAuMSIsInR5cGUiOiJyZXN0cmljdGVkIn0sImp0aSI6IjAyOTNmYWE2LTRjMjYtNGJhMS1hNmRjLWUzMDYzNDExNzg2YiIsImV4cCI6MTQ3NDMxOTA0MiwiZnJlc2giOnRydWUsImlhdCI6MTQ3NDMxNTQ0MiwidHlwZSI6ImFjY2VzcyIsIm5iZiI6MTQ3NDMxNTQ0MiwiaWRlbnRpdHkiOiJ0ZXN0MSJ9.LbIzIr9DA4XeRoinDOzp9tmM4R8yHR6ZgLwe3_wqZGueJD5fwoYZO4bTu-MqR0wysU2gW43ULrowYlKBMy0_GA"
MYUSERNAME$ export REFRESH="eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI2ODhlMzVlYS1iZGFkLTQ0MzYtODQzMi1jMmQ2MjUzMTQzNzEiLCJleHAiOjE0NzQ5MjAyNDIsImlhdCI6MTQ3NDMxNTQ0MiwidHlwZSI6InJlZnJlc2giLCJuYmYiOjE0NzQzMTU0NDIsImlkZW50aXR5IjoidGVzdDEifQ.wDSO6snzoDDKLwlpAktT2Ylh6EHzN0FRNMOkLPjGiDOStSCXkjuIS5wedA3y0KMqzSpv9OvbncyoKLb3cip7uQ"
MYUSERNAME$ curl -H "Authorization: Bearer $REFRESH" -X POST http://localhost:5001/auth/refresh
{
  "msg": "Missing or invalid claim: jti"
}

[vimalloc]

Ok, got it. I'm currently using python3, and it looks like that breaks in python2. It is the isinstance check here:

    if 'jti' not in data or not isinstance(data['jti'], str):
        raise JWTDecodeError("Missing or invalid claim: jti")

Let me get the unittests done for this, and I'll go through and make sure it's compatiable for both python2 and python3.

Thanks!