Python app example of authorization

snb · December 13, 2022, 2:45pm

Hi everybody,

Is there any working Python example of custom app authentication?
There is a Node example, but I cannot make it work on Python.

My Python code (powered by Flask and PyJWT)

import jwt
...
@app.route('/auth', methods=['GET'])
def auth():
    args = request.args
    token = args['token']
    data = jwt.decode(token, MY_CLIENT_SECRET, algorithms=['HS256', 'SHA256', 'RSASSA', 'HMAC'])
    return Response()  # just a stub for now

So I’m getting error “Signature verification failed” when decode the token (jwt.decode method).
What am I do wrong?

Best regards,
Sergey.

alessandra · December 13, 2022, 4:17pm

Hi @snb,

Could you please confirm that you’re using your Signing Secret and not your Client Secret to decode the jwt?

You can find your Signing Secret in your App configuration page.

snb · December 15, 2022, 10:19am

Yes, it worked, thank you. Meanwhile I have to add option

options={'verify_aud': False}

to “decode” function to make it work.

Matias.Monday · December 15, 2022, 12:07pm

Hello there @snb,

I am glad that worked!

I did not understand what you said about adding verify_aud to the options object. Would you please elaborate?

Looking forward to hearing from you!

Cheers,
Matias

codyfrisch · December 16, 2022, 5:00am

@Matias.Monday the JWT contains an “aud” element. This is the full URL to which monday sent the original request. When we receive a token, we can look at our headers and determine to what URL the request was sent (or if someone is daring enough to hard code it into their code…)

We can pass this URL as follows (node.js)

jwt.verify(authHeader, secretKey, { audience: url })

Doing so, jwt.verify also checks that the token was sent by monday to the URL in question. I use it in my auth stage, as just a tiny bit of extra checking. Obviously an issue if you use redirects.

Now just if the expiration timestamp in the jwt wasnt several minutes after the one in the shortLivedToken which is when the API server starts rejecting the token. So I have to also verify the slt to get the real expiration time, so I can reject the request if the slt is too close to becoming invalid to complete execution of the scenario.

snb · December 16, 2022, 10:37am

My code is:

data = jwt.decode(token, MY_SIGNING_SECRET, algorithms=['HS256', 'SHA256', 'RSASSA', 'HMAC'], options={'verify_aud': False})

codyfrisch · December 16, 2022, 2:47pm

yes, thats for python, i was just giving matias a node example and explanation.

dipro · December 16, 2022, 4:24pm

Just checking – @snb did you get this working in the end? Seems like yes, but wanted to confirm

Topic		Replies	Views
Front end app - TOKEN problem at backend Platform discussions boards , api	1	633	September 22, 2023
OAuth2/Board View Authentication Help! :) Platform discussions boards , oauth	1	3331	June 21, 2021
Can custom apps be built using python monday apps & integrations api , import	2	1270	March 21, 2024
API - Fetching Formula Values and Handling Heavy Payloads Special workflows & use cases integrations , automations , columns , api , formula	6	1584	June 16, 2023
What is session token? I can't get the session token using monday.get("sessiontoken") method in monday-sdk Platform discussions api	1	1433	February 14, 2023

Python app example of authorization

Become part of our community groups

Can't find what you're looking for?

Can't find
what you need?

Python app example of authorization

Related Topics

Become part of our community groups

Can't find what you're looking for?

Can't findwhat you need?

Can't find
what you need?