107. JSON Web Tokens (JWT)
JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. JWT is commonly used for authentication and authorization in web applications. It allows the server to verify the identity of a user and send claims, such as user roles or permissions, in a secure way.
Here's how you can work with JWT in Python, using the PyJWT library to encode and decode JWTs for secure communication:
1. Install PyJWT
First, you need to install the PyJWT library. You can install it using pip:
pip install pyjwt2. Encoding a JWT
This example shows how to encode a payload into a JWT token.
import jwt
import datetime
# Secret key used to encode and decode the JWT
SECRET_KEY = "your_secret_key"
# Payload (data to encode into the JWT)
payload = {
"user_id": 123,
"username": "alice",
"exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1) # Expiration time
}
# Encode the JWT with the payload and the secret key
token = jwt.encode(payload, SECRET_KEY, algorithm="HS256")
print(f"JWT Token: {token}")Explanation:
The
payloadcontains the claims you want to store, such asuser_id,username, and an expiration time (exp).The
jwt.encode()function encodes the data and signs it with the secret key using theHS256algorithm.
3. Decoding a JWT
You can decode a JWT token to retrieve the payload data.
Explanation:
The
jwt.decode()function decodes the token and validates its signature using the secret key.If the token is expired or invalid, an exception is raised, which can be handled appropriately.
4. JWT with Custom Claims
You can also include custom claims in the JWT.
5. Validating JWT Expiration
JWTs can include an expiration (exp) claim to limit their validity. When decoding the token, the exp claim is automatically checked to ensure the token has not expired.
6. JWT in a Web Application (Flask Example)
A typical usage of JWT in a web application is for user authentication. Here is an example of how JWT can be used in a Flask web app:
Explanation:
The
/loginroute simulates user authentication and returns a JWT token.The
/protectedroute requires a valid JWT token in theAuthorizationheader to access protected resources. If the token is expired or invalid, the request will be denied.
7. JWT with Refresh Tokens
You can implement a refresh token mechanism to extend the session without requiring the user to log in again.
Explanation:
The access token has a short expiration time (15 minutes), while the refresh token has a much longer expiration (30 days).
When the access token expires, the client can send the refresh token to request a new access token.
8. Decoding JWT without Verification
In some cases, you might want to decode a JWT without verifying its signature (e.g., for debugging or checking its contents without trusting the signature).
Explanation: The verify_signature=False option disables signature verification. This is only recommended for trusted environments.
9. JWT with Multiple Claims
JWT can hold multiple claims. Here’s an example of using various claims like sub, iat, and aud:
Explanation: The JWT includes various claims such as sub (subject), iat (issued at), aud (audience), and exp (expiration time).
10. JWT Payload Expiration Check
JWT automatically checks for expiration when decoding the token. Here's how you can handle token expiration explicitly.
Explanation: If the exp claim in the JWT has passed, a ExpiredSignatureError is raised, allowing you to handle expired tokens appropriately.
Key Concepts:
JWT Encoding and Decoding: Use
jwt.encode()to generate JWTs andjwt.decode()to extract data.Expiration and Claims: Use the
expclaim for expiration, and other claims likesub,iat, andaudfor subject, issued-at, and audience information.Security: Always protect your JWTs with a strong secret key to prevent tampering and ensure they are valid.
JWTs are widely used in web applications for securely transmitting information between clients and servers, especially in authentication and authorization contexts.
Last updated