Auth0 authorization to a Python API with PyJWT
There is an example in the Auth0 quickstarts, but it uses python-jose-cryptodome and I already have PyJWT in the project.
So here is a small modification of this example.
def requires_auth(f):
"""
Determines if the Access Token is valid
"""
@wraps(f)
def decorated(*args, **kwargs):
token = get_token_auth_header()
jsonurl = urlopen("https://"+AUTH0_DOMAIN+"/.well-known/jwks.json")
jwks = json.loads(jsonurl.read())
unverified_header = jwt.get_unverified_header(token)
rsa_key = {}
for key in jwks["keys"]:
if key["kid"] == unverified_header["kid"]:
rsa_key = {
"kty": key["kty"],
"kid": key["kid"],
"use": key["use"],
"n": key["n"],
"e": key["e"]
}
if rsa_key:
try:
jwt.decode(
token,
jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(rsa_key)),
algorithms=ALGORITHMS,
audience=API_AUDIENCE,
issuer="https://"+AUTH0_DOMAIN+"/"
)
except jwt.ExpiredSignatureError:
raise AuthError({"code": "token_expired",
"description": "token is expired"}, 401)
except (jwt.InvalidAudienceError, jwt.InvalidIssuerError):
raise AuthError({"code": "invalid_claims",
"description": "incorrect claims, please check the audience and issuer"}, 401)
except Exception:
raise AuthError({"code": "invalid_header",
"description": "Unable to parse authentication token."}, 401)
return f(*args, **kwargs)
raise AuthError({"code": "invalid_header",
"description": "Unable to find appropriate key"}, 401)
return decorated