Often in Flask applications we want to add login/logout functionality. Depending on the type of application you're creating, you could use sessions or tokens.
- Sessions are best suited to applications where you're serving web pages with Flask—i.e. making extensive use of
render_template
. - Tokens are best suited to APIs, where your Flask application accepts and returns data to another application (such as mobile apps or web apps).
In this post we'll learn how to add token-based authentication to your Flask apps. But first...
What is a JWT?
JWT stands for JSON Web Token, and it is a piece of text with some information encoded into it.
The information stored when doing authentication in a Flask app is usually something that we can use to identify the user for whom we generated the JWT.
The flow goes like this:
- User provides their username and password
- We verify they are correct inside our Flask app
- We generate a JWT which contains the user's ID.
- We send that to the user.
- Whenever the user makes a request to our application, they must send us the JWT we generated earlier. By doing this, we can verify the JWT is valid—and then we'll know the user who sent us the JWT is the user for whom we generated it.
That last point is important. When we receive a JWT we know to be valid, we know we generated it for a specific user. We can check this using the information stored inside the JWT.
Since we know the user sent us the JWT that we generated when they logged in, we can treat this used as a "logged in user".
Any user that does not send us a valid JWT, we will treat as a "logged out" user.
Authentication with Flask-JWT
There are two main libraries for authentication with Flask: Flask-JWT and Flask-JWT-Extended.
Flask-JWT is slightly simpler, while Flask-JWT-Extended is a bit more powerful. Learning one will make learning the other very straightforward.
In this post we'll use Flask-JWT.
Installing and linking with our app
To install Flask-JWT, activate your virtual environment and then do:
pip install flask-jwt
Then, in the file where your app is defined, you'll need to import Flask-JWT and create the JWT
object. You also need to define app.secret_key
as that is used to sign the JWT so you know it is your app that created it, and not anyone else:
from flask import Flask
from flask_jwt import JWT
from security import authenticate, identity
app = Flask(__name__)
app.secret_key = "jose" # Make this long, random, and secret in a real app!
jwt = JWT(app, authenticate, identity)
if __name__ == "__main__":
app.run()
We also have an import for authenticate
and identity
. These two functions are required for Flask-JWT to know how to handle an incoming JWT, and also what data we want to store in an outgoing JWT.
As soon as we create the JWT
object, Flask-JWT registers an endpoint with our application, /auth
.
That means that the simple app in that code already has an endpoint that users can access. By default, users should be able to send POST requests to the /auth
endpoint with some JSON payload:
{
"username": "their_username",
"password": "their_plaintext_password"
}
What is authenticate
?
The authenticate
function is used to authenticate a user. That means, when a user gives us their username and password, what data we want to put into the JWT. Remember, the data we put into the JWT will come back to us when the user sends it with each request.
The flow goes like this:
- User makes a POST request to the new
/auth
endpoint with their username and password as the JSON payload. - The
authenticate
function is called with that username and password. Flask-JWT set this up when we created theJWT
object.
Usually in the authenticate
function I check the validity of a user's username and password, and then tell Flask-JWT to store the user's id
inside the JWT.
Something like this:
from werkzeug.security import safe_str_cmp
from models.user import UserModel
def authenticate(username, password):
user = UserModel.find_by_username(username)
if user and safe_str_cmp(user.password, password):
return user
My authenticate
function accepts a username
and password
. It then goes into the database and finds a user matching that username, and checks the password is correct.
If it is, it returns the user.
Does that mean the user is stored in the JWT?
No. Flask-JWT will take the id
property of the user
object and store that in the JWT.
If your user
object does not have an id
property, you'll get an error.
You can change which property gets stored in the JWT by setting an app configuration property. Learn more in our Flask-JWT Configuration blog post.
What is identity
?
The identity
function is used when we receive a JWT.
In any of our endpoints (except the /auth
endpoint) the user can send us a JWT alongside their data. They will do this by adding a header to their request:
Authorization: JWT <JWT_VALUE_HERE>
When that happens, Flask-JWT will take the JWT and get the data out of it. Data stored inside a JWT is called a "payload", so our identity
function accepts that payload as a parameter:
def identity(payload):
user_id = payload['identity']
return UserModel.find_by_id(user_id)
The payload['identity']
contains the user's id
property that we saved into the JWT when we created it. The payload
also contains other things, such as when the token was created, when it expires, and more. For more information, read the "Payload" section of this post.
Since payload['identity']
is the user's id
—we use that to find the user in the database and return it.
Important: the identity
function is not called unless we decorate our endpoints with the @jwt_required()
decorator, like so:
from flask_jwt import jwt_required, current_identity
@app.route('/protected')
@jwt_required()
def protected():
return '%s' % current_identity
Inside any endpoint that is decorated with @jwt_required()
, we can access the current_identity
proxy—it will give us whatever the identity
function returns for the JWT we received in this specific request.
Testing and error messages
Here's a simple app, taken from the official documentation, that you can use to test your Flask-JWT requests.
I would recommend testing different scenarios with Flask-JWT to check what it can return you. For example, what happens if:
- You send an invalid username or password;
- You send an invalid or incomplete JWT;
- Your user isn't found in the database with the id in the payload;
Flask-JWT-Extended
Flask-JWT-Extended is very similar to Flask-JWT, but has more configuration options and some more functionality. For example, it allows for token refreshing.
After you're comfortable with Flask-JWT—and if you need those advanced features—read our blog post on Flask-JWT-Extended for more!
I hope you've found this post useful, and you've learned something!
If you want an even better and more digestible set of video tutorials guiding you through creating Flask applications and REST APIs, check out our REST APIs with Flask and Python course. It contains everything you need to develop simple, professional REST APIs easily.
If you sign up to our mailing list below, that's the best way to get access to a discount code—we share them every month with our subscribers!