JWT Claims and Authorization
- Set metadata above
- Start writing!
- Create
start
folder - Create
end
folder - Create per-file diff between
end
andstart
(use "Compare Folders")
JWT claims are extra data we can add to the JWT. For example, we could store in the JWT whether the user whose ID is stored in the JWT is an "administrator" or not.
By doing this, we only have to check the user's permissions once, when we create the JWT, and not every time the user makes a request.
To add a custom claim to a JWT we define a function similar to the error handling functions we wrote in the last lecture:
app.config["JWT_SECRET_KEY"] = "jose"
jwt = JWTManager(app)
@jwt.additional_claims_loader
def add_claims_to_jwt(identity):
if identity == 1:
return {"is_admin": True}
return {"is_admin": False}
@jwt.expired_token_loader
def expired_token_callback(jwt_header, jwt_payload):
return (
jsonify({"message": "The token has expired.", "error": "token_expired"}),
401,
)
Read from a database or config file
Here we're assuming that the user with and ID of 1
will be the administrator. Normally you'd read this from either a config file or the database.
How to use JWT claims in an endpoint
Let's make a small change to the Item
resource so that only admins can delete items.
To do so, we'll need to add an import for get_jwt
:
from flask_jwt_extended import jwt_required, get_jwt
Then in the delete
endpoint, we can use get_jwt()
to check the data in the JWT (which behaves like a dictionary):
@jwt_required()
def delete(self, item_id):
jwt = get_jwt()
if not jwt.get("is_admin"):
abort(401, message="Admin privilege required.")
item = ItemModel.query.get_or_404(item_id)
db.session.delete(item)
db.session.commit()
return {"message": "Item deleted."}