I am trying to implement token based authentication for my Flask REST API. I am using Stormpath as my third-party authentication service.
I looked into flask-stormpath
built on top of flask-login
. Looks like it uses password based authentication as they are trying to maintain session on the server. Also, the documentation doesn't provide me enough information.
Do we have a flask integration for stormpath token based authentication ? If yes, can someone point me to a sample code.
I have already gone through the stormpath/flask-stormpath-sample
on github, which again maintains sessions in server.
References:
So here is the way I am currently using until rdegges shall build this feature into flask-stormpath
.
You will need stormpath python sdk latest version and wraps from func tools.
from stormpath.api_auth import (PasswordGrantAuthenticator, RefreshGrantAuthenticator, JwtAuthenticator)
from functools import wraps
You can create your application as such.
stormpathClient = Client(id=KEYS['STORMPATH_ID'], secret=KEYS['STORMPATH_SECRET'])
stormpathApp = stormpathClient.applications.search('your-application')[0]
This decorator shall help you with securing endpoints.
def tokenRequired(func):
"""
Decorator to apply on all routes which require tokens.
"""
@wraps(func)
def wrappingFunc():
#check the auth header of the request for a bearer token.
authHeader = request.headers.get('Authentication')
#make sure that the string is a bearer type.
if len(authHeader)<8 or (not authHeader[:7] == 'Bearer ') or (
not authHeader):
return Response("401 Unauthorized",401)
authToken = authHeader[7:]
try:
authenticator = JwtAuthenticator(stormpathApp)
authResult = authenticator.authenticate(authToken)
request.vUser = authResult.account
except:
return Response("403 Forbidden",403)
return func()
return wrappingFunc
#Use this decorator like below.
@flaskApp.route('/secure-route',methods=['GET','POST'])
@tokenRequired
def secureEndpoint():
# return JSON based response
return Response("This is secure Mr." + request.vUser.given_name ,200)
Let me know in the comments if someone wishes to know the token issuing and refreshing end points as well.