1.4. backendapp.api.tokenauth

Access to some API resources is controlled via token-based authentication.

https://www.okta.com/uk/identity-101/what-is-token-based-authentication/

For the Admin API, nearly all resources require an admintoken. This can only be obtained with knowledge of a secret key. It is read from an environment variable known only to a system administrator.

For the Consumer API, some resources require a tagtoken. These prove that an end-user has recently captured a tag and therefore has physical access to a device.

class backendapp.api.tokenauth.TokenAuth(issuer: str, audience: str)[source]

Token authenticator base class.

__init__(issuer: str, audience: str)[source]

Instantiate a token authenticator. A JSON Web Token includes a header, a payload and a signature. For more information see https://jwt.io/.

A token is rejected if the payload does not include a set of claims. Each is a key-value pair.

Specify the expected values of two standard claims: issuer and audience.

https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields

Parameters

  • issuer – Identifies the principal that issued the token (this application).

  • audience – Identifies the audience that the token is intended for.

verify_token(token: str, key: Union[str, dict]) dict[source]

Decode a JSON Web Token and verify its signature with a key. Confirm that the received token has expected values for the audience and issuer claims in its payload.

If verification fails, abort() is called. This raises an HTTP Exception with the 401 unauthorized status.

Parameters

  • token – The JSON Web Token.

  • key – Either an individual JSON Web Key or a JWK set.

Returns

The decoded JSON Web Token.

class backendapp.api.tokenauth.TokenAuthSymmetric(issuer: str, audience: str, secret: str)[source]

An authenticator for tokens with signatures that are encrypted and decrypted with the same key.

__init__(issuer: str, audience: str, secret: str)[source]

Instantiate an authenticator for tokens with symmetrically encrypted signatures. Verification fails when the signature is not decrypted with the same secret key used for encryption.

Parameters

  • issuer – The principal that issued the token (this application).

  • audience – The audience that the token is intended for.

  • secret – Used to generate and verify the token signature. Must not be shared outside this application.

get_decoded_token() dict[source]

Obtain a JSON Web Token from the authorization HTTP header and verify that it was issued by this application, using a secret known only to this application.

Returns

The decoded token.

backendapp.api.tokenauth.get_token_auth_header() str[source]

Obtains an access token from the Authorization HTTP Header.

The value of the authorization header must be in the format: Bearer <token> where token is a JSON Web Token.

https://swagger.io/docs/specification/authentication/bearer-authentication/