Is this a correct JWT authentication implementation?

I’ve created a Flask RESTful API which requires an email / password and Facebook login flow. This will probably need to be extended in the future to support more social logins.

I’ve chosen to authenticate users using JWT.

Since I want to support multiple types of login flows, I figured I need to define a custom grant type for each type of login.

I took a look at Flask-JWT, but this doesn’t seem to support custom grant types, not even for refresh tokens.

Because I couldn’t find another Flask JWT implementation, I had to write my own. My code works, but I have some concerns, considering there isn’t a Flask plugin that fulfils my requirements.

  • Is it a good practice at all to define custom grant types? rfc6749 states it is supported.
  • Did I implement the email / password / refresh token authentication flow correctly (Figure 1)?
  • Did I implement the Facebook authentication flow correctly (Figure 2)?
  • I’m using uuid4 to generate refresh tokens. Is this a good idea?

Email login flow

Facebook login flow


Disclaimer: it’s more a comment than an answer, but I needed more space.

First off, despite JWTs being simple, the OAuth2 flows tend to be complicated and cumbersome. In order to authenticate using Google, Facebook & co., you typically do not receive tokens directly.

  1. The user says “I want to log in”
  2. Your app says, oh, uh, here’s a Facebook redirect
  3. The user signs in, and a callback URL from you is called with a code
  4. On the server side, you receive the code and make a call to Google/Facebook to exchange the code for a JWT
  5. Now, you verify it
  6. Then, ok, the user is authenticated and you can redirect it to the original page

…it can also be nasty in the sense that many providers handle things slightly differently, and that for each one you’ll need to register and store secret key pairs.

Honestly, it’s a pain and I’d advise using third party services like:

Update: in the meantime, I feel like OAuth libraries have progressed and become simplier while’s service became more complex. So I’d now advise using code libs directly …except if you need to support a lot of auth providers.

The flow is the same, but at least you have it streamlined. (And I’m not affiliated in any way with them)


Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *