Validating Google OIDC ID tokens

[acrossen]

I'm attempting to craft an auth system for my SPA that uses Google as the auth provider, and flask-jwt to validate tokens on the client. From the Flask back-end, I make the Google ID token (which is a JWT) available to my JS front-end, which gets used in the UI as well as being sent along in an Auth header to API calls protected with @jwt_required.

I successfully integrated flask-jwt-simple to do this, but since the Extended module is more sophisticated I'd like to migrate to that for its callbacks, etc. In so doing, I'm running into a couple roadblocks. I know the extended module is more opinionated, but I wondered whether making a couple things (at least that I've discovered so far) configurable would make my use case viable:

• Supporting audience verification like flask-jwt-simple. Google ID tokens have an audience and the simple module verifies them optionally via the JWT_DECODE_AUDIENCE config element. Not supporting audience at all causes PyJWT to fail validation when the token has an audience.
• Making the type claim optional via a config element.

I believe this would do the trick and make the validation process configurable to resemble that of its simple counterpart.

Thoughts? Thanks for a great module.

[vimalloc]

At first glance this seems like a reasonable change, but I'm not entirely sure if it will be that easy or if there will be more opinionated things that cause issues as we dive into this.

My initial thoughts are Instead of making an option to toggle the type of a token, I'm thinking it may make more sense to treat all incoming tokens that don't have a type as an access token, and actually shove that into the decoded token if it doesn't exist, similar to how empty user_claims work. That would allow us to:

• not add another option to the extension while still supporting your case
• preserving existing functionality in this extension
• Actually remove the type key from access tokens we create in this extension, making the underlying JWTs smaller, without causing a breaking change for existing users.

I'm pretty strapped for time right now. If you want to give this a shot and create a pull request, I would be very happy to work with you and see if we can get this working.

As an alternative, it might be easier to actually port some of the niceties of this extension over to the flask-jwt-simple extension. A lot of the stuff added in here could be safely brought over to the simple version of the extension. The main reason it hasn't yet is just because not may people are using that extension in comparison to this one. If you have a list of features you are looking for, I could tell you if it would be possible to migrate them over to the other extension.

Either way, let me know your thoughts.

Thanks! 👍

[acrossen]

Thanks for the quick reply and consideration, much appreciated. Your thought on type makes sense to me. You're right on the scope of changes needed; it's one of those things that reveals itself as it goes. That said, why don't I give it a shot with a PR for the Extended module.

Thanks, and stay tuned!
-a

[vimalloc]

Sounds great! If you run into any stumbling blocks feel free to ask in here, or jump in the gitter channel where we can chat in real time.

Good luck!

[vimalloc]

Released in 3.14.0. Thanks for contributing! 👍