Skip to main content

Python app example of authorization

  • December 13, 2022
  • 7 replies
  • 1340 views
S
  • snb
  • Participating Frequently

Hi everybody,

Is there any working Python example of custom app authentication?
There is a Node example, but I cannot make it work on Python.

monday apps framework

My Python code (powered by Flask and PyJWT)

import jwt
...
@app.route('/auth', methods=['GET'])
def auth():
    args = request.args
    token = args['token']
    data = jwt.decode(token, MY_CLIENT_SECRET, algorithms=['HS256', 'SHA256', 'RSASSA', 'HMAC'])
    return Response()  # just a stub for now

So I’m getting error “Signature verification failed” when decode the token (jwt.decode method).
What am I do wrong?

Best regards,
Sergey.

7 replies

A
  • Anonymous
  • December 13, 2022

Hi @snb,

Could you please confirm that you’re using your Signing Secret and not your Client Secret to decode the jwt?

You can find your Signing Secret in your App configuration page.

S
  • snb
  • Author
  • Participating Frequently
  • December 15, 2022

Yes, it worked, thank you. Meanwhile I have to add option

options={'verify_aud': False}

to “decode” function to make it work.

    Matias.Monday
    Forum|alt.badge.img
    • Matias.Monday
    • monday.com Team Member
    • December 15, 2022

    Hello there @snb,

    I am glad that worked!

    I did not understand what you said about adding verify_aud to the options object. Would you please elaborate?

    Looking forward to hearing from you!

    Cheers,
    Matias

    A
    • anon29275264
    • Participating Frequently
    • December 16, 2022

    @Matias.Monday the JWT contains an “aud” element. This is the full URL to which monday sent the original request. When we receive a token, we can look at our headers and determine to what URL the request was sent (or if someone is daring enough to hard code it into their code…)

    We can pass this URL as follows (node.js)

    jwt.verify(authHeader, secretKey, { audience: url })

    Doing so, jwt.verify also checks that the token was sent by monday to the URL in question. I use it in my auth stage, as just a tiny bit of extra checking. Obviously an issue if you use redirects.

    Now just if the expiration timestamp in the jwt wasnt several minutes after the one in the shortLivedToken which is when the API server starts rejecting the token. So I have to also verify the slt to get the real expiration time, so I can reject the request if the slt is too close to becoming invalid to complete execution of the scenario.

      S
      • snb
      • Author
      • Participating Frequently
      • December 16, 2022

      My code is:

      data = jwt.decode(token, MY_SIGNING_SECRET, algorithms=['HS256', 'SHA256', 'RSASSA', 'HMAC'], options={'verify_aud': False})
        A
        • anon29275264
        • Participating Frequently
        • December 16, 2022

        yes, thats for python, i was just giving matias a node example and explanation.

          dipro
          Forum|alt.badge.img
          • dipro
          • Leader
          • December 16, 2022

          Just checking – @snb did you get this working in the end? Seems like yes, but wanted to confirm 🙂

          Terms & ConditionsCookie settingsAccessibility statement