Flask_jwt_extened official document learning (2)

Others 2021-01-25 15:15:12 views: null

flask_jwt_extended: official document

7. Refresh tokens (a kind of token refresh tokens)

The new innovation can be used to access token when the old tokens expired System of Tokens (can not access jwt_required () node, and access token can not access jwt_refresh_token_required () decorative node). You can set the expiration time of access_token and use refresh_token to generate new access_token.
Here the refresh token is placed in the request header by default. The configuration field at the back of the document can change this setting.

Insert picture description here

8. Token refreshability (freshness added to the access token)

The main reason is to add fresh to True on the basis of access_token, corresponding to the endpoint decorated by fresh_jwt_requires(), and the combination of refresh token can improve the security of the site.

9. Change the default behavior

  1. Change the callback function
    • Mainly the problem of information return when the token is invalid
# 主要是处理有效但是过期的令牌在访问一个受保护的endpoint之前
# 执行
@jwt.expired_token_loader
def my_expired_token_callback(expired_token):
    token_type = expired_token['type']
    return jsonify({
    
    
        'status': 401,
        'sub_status': 42,
        'msg': 'The {} token has expired'.format(token_type)
    }), 401
  1. Dynamic token expiration time
  • Specify the expires_delta parameter in create_refresh_token() and create_access_token() to set the expiration time of the two tokens.
  • Short-term access_token can be used to provide access to web applications, while long-term refresh tokens are more used to provide APIs to programmers.

10. Configuration options

Mainly used to specify the relevant parameters for the flask app, you can view the documentation page for details, the focus is on the blacklist setting
Configuration Options: link

11. Blacklist and token revocation (use of memory database)

It can support out-of-the-box token revocation operations, mainly through the token_in_blacklist_loader() decorator to write functions, which can be used in conjunction with database or redis. Both official documents have references.

In addition, the decorator will be called every time the endpoint is accessed. If it is checked, it may cause a large load problem. The document recommends that access token use expired time to invalidate, and refresh token use blacklist to revoke.

12. Where to place the JWT

JWT in series

  1. in cookies: can reduce XSS attacks or something (don’t understand...)
  2. in queryString: Put the token in the parameters of the get request. The document itself does not recommend this. Maybe your token has been recorded
  3. in json body: store jwt in the data body, but this will cause the get request to have no data body and cannot access the protected endpoint.

Guess you like

Origin blog.csdn.net/qq_42573343/article/details/107128934
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com