JSON Web Tokens with Pyramid

[Vincent Catalano]

Hello everyone,

I'm implementing a REST API in Pyramid and I want to use JSON Web Tokens for authorization and authentication (http://jwt.io/). I was looking at using a plugin pyramid_jwtauth but there are no examples or documentation on how to actually use it. If anyone has any experience or knowledge in implementing web tokens perhaps you could give me a few pointers for using it in Pyramid.

-Vincent

--

Vincent Catalano
Software Engineer and Web Developer,
(520).603.8944

[Randall Leeds]

I authored pyramid_oauthlib and I've been hacking at JWTs as authorization grants.

It might be overkill for your needs, but I'll look at getting an example up today/tomorrow.

--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.

[Arndt Droullier]

I've never used pyramid_jwtauth; just had a look at it.

Anyway, it should work like pyramids standard cookie auth except you have to manage the yourself. 

http://docs.pylonsproject.org/docs/pyramid/en/latest/_modules/pyramid/security.html#remember

But instead of calling 'remember()' you have to call pyramid_jwtauth's 'encode_jwt'

    policy = request.registry.queryUtility(IAuthenticationPolicy)

    if policy is None:

        token = None

    else:

        token = policy.encode_jwt(request, claims={'sub':'username'}) 

to get the signed token. The token has to be passed as header by the client in the following requests.

'claims' have to include the username: I think  {'sub':'username'} should work. 

That's all. Or at least the rest has nothing to do with jwt tokens.

Arndt.

I'm implementing a REST API in Pyramid and I want to use JSON Web Tokens for authorization and authentication (http://jwt.io/). I was looking at using a plugin pyramid_jwtauth but there are no examples or documentation on how to actually use it. If anyone has any experience or knowledge in implementing web tokens perhaps you could give me a few pointers for using it in Pyramid.

-Vincent

Arndt Droullier / nive.io

[Vincent Catalano]

Aha! I didn't even think of trying to get the policy from the registry. I will give it a try tonight. Thanks, guys!

--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.

[Carel Burger]

Hi Randall, Let us know when the example is up. I am also interested in getting OAuth integrated in my webapp.

[Randall Leeds]

This is all an ongoing experiment, so I apologize that it's linked to open PRs and whatnot. As far as I know, no one other than myself has really used pyramid_oauthlib yet, either.

Here's the basic idea though:

- The library, pyramid_oauthlib, provides `request.verify_request()` which delegates to a registered OAuthLib RequestValidator instance based on the detected authorization type, e.g. bearer authorization header.

- The goal is that implementations of grant types, token types, and response types can be shared with other OAuthLib users because they should be able to avoid any pyramid-isms.

- To integrate with your Pyramid application, all that is really needed is to register some OAuthLib pieces and then integrate with your authentication policy.

  Example of adding some OAuthLib parts:

    config.add_grant_type('oauthlib.oauth2.ClientCredentialsGrant', request_validator=validator)

    config.add_token_type('oauthlib.oauth2.BearerToken', request_validator=validator, token_generator=generate_signed_token)

  Example of integrating with a Pyramid authentication policy. In a simplest case, Pyramid itself does no authentication, and instead uses the 'REMOTE_USER' policy:

    @subscriber(ContextFound)

    def set_user_from_oauth(event):
        """A subscriber that checks requests for OAuth credentials and sets the
        'REMOTE_USER' environment key to the authorized user (or ``None``)."""
        request = event.request
        request.verify_request()
        request.environ['REMOTE_USER'] = getattr(request, 'user', None)

Here's how I'm integrating the draft-ietf-oauth-jwt-bearer spec today: https://github.com/hypothesis/h/pull/2046

Notice that the h.oauth package has nothing Pyramid specific. I am hoping to submit that as a PR to OAuthLib shortly.

The biggest open questions in my mind:

- Should the grant type implementation should attempt any issuer/audience/expiration validation or if that should all be delegated to the RequestValidator.

- Since pyramid_oauthlib makes it easy for each (token|grant|response) type to have its own RequestValidator instance it works to overload the validate_bearer_token method. However, for other OAuthLib users, it might be more sensible to have a validate_web_token method in case the JWT is only used as an authorization grant but the access token uses a more traditionally opaque token.

Hope that's helpful. I'm very much seeking feedback here.

To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.