flask-jwt-extended

• Fix some issues introduced in 3.1.0 when using a JWT_IDENTITY_CLAIM that is not 'identity' (#67)

• Allows changing the identity claim name via JWT_IDENTITY_CLAIM options (#65)

First off, sorry and advance, as this is a big breaking change for how blacklist and token revoking works. If you use these features, you will need to update your application accordingly to get everything working with the 3.x.x releases. If you are not using the token blacklisting/revoking features, you should be able to update to the 3.x.x releases without any issues.

Token revoking has always been the weakest part of this extension. It locked you in to a single (not overly efficient) way of doing things, and didn't provide any way to customize this feature to fit with your applications needs.This library always aimed to give you the tools needed so that you could do whatever it was you wanted to do with your application. Unfortunately, the original blacklist feature did not do this, and thus why I am making a large breaking change to introduce a new blacklisting system.

This new blacklisting system only requires that you give this extension a callback function that checks if a token has been revoked or not. It is now up to you to provide this function, as well as keeping track of the revoked tokens.

To upgrade to the 3.x.x branch, you will need to remove theapp.config['JWT_BLACKLIST_STORE'], and use your own code to store blacklisted tokens. You will also need to use the @jwt.token_in_blacklist_loaderto provide a callback method which we use to check if a token is expired. Finally, if you are using app.config['JWT_BLACKLIST_STORE'] = 'all'', you will need to change it to app.config['JWT_BLACKLIST_STORE'] = ['access', 'refresh'].

Check out these links for examples that you can use with your application:

• https://github.com/vimalloc/flask-jwt-extended/blob/master/examples/blacklist.py
• https://github.com/vimalloc/flask-jwt-extended/blob/master/examples/redis_blacklist.py
• https://github.com/vimalloc/flask-jwt-extended/tree/master/examples/database_blacklist

(I'm also generally available in IRC to help out if you have any questions. I am in #flask-jwt-extended on freenode).

Final Note: I know breaking changes suck. I am very happy with where this extension is at now, and do not foresee any more breaking changes on the horizon. I will to do everything I can to prevent more breaking changes from here on out.

Change List

• JWT_BLACKLIST_STORE option has been removed.
• all simplekv code has been removed.
• JWT_BLACKLIST_TOKEN_CHECKS option now takes a string or a list of strings, and the valid strings are ['access', 'refresh'] instead of 'refresh' or 'all'.
• JWT_BLACKLIST_TOKEN_CHECKS option now defaults to ['access', 'refresh']. This is the equivalent of the 'all' option in 2.x.x.
• Add @jwt.token_in_blacklist_loader decorator. This is used to register a callback function for checking if a token has been blacklisted.
• Add decode_token(encoded_token) function, which lets you decode an encoded token.
• Users now needs to add tokens to the blacklist themselves, it is no longer automatically added in the create_access_token() and create_refresh_token() calls.

• Export get_jti(encoded_token) in __init__.py (#53)

• Adds user_loader feature (#49 and #56): Documentation here: http://flask-jwt-extended.readthedocs.io/en/latest/complex_objects_from_token.html

• Adds ability to overwrite expires time in create_access_token and create_refresh_token with optional expires_delta kwarg (#52 and #55)

• Adds ability to get jti from an encoded token (#51)
• New optional kwarg encoded_token which can be passed to get_stored_token (#51)

• get_jwt_identity() now returns None instead of {} if no jwt is present

• Add jwt_optional decorator (#46, thanks @carlegbert)

• Fix import error when using older versions of pyjwt (refs #42)
• Make cryptography an optional dependency (see http://flask-jwt-extended.readthedocs.io/en/latest/installation.html for installation instructions)
• Add JWT_SECRET_KEY option. It will check this first, then fall back to using app.secret_key if it isn't set. Only used on symmetric signing algorithms, such as the HS* ones.
• Add JWT_PRIVATE_KEY option in place of app.secret_key for asymmetric (public/private key) signing algorithms. It now uses this option instead of app.secret_key, and is a breaking change from version 1.5.0.
• Update requirements.txt to use newest version of pyjwt

• Adds support for asymmetric cryptography (#40)

• Fixes an issue where decoding a JWT would use the algorithm that was defined in the JWT instead of the algorithm that was defined in app.config['JWT_ALGORITHM'] (refs #39)

• Add JWT_COOKIE_DOMAIN option, to control the cross-domain cookie setting for the underlying flask set_cookie call.

• Big refactoring of code behind the scenes. Shouldn't cause any breaking problems with existing applications
• Depreciate JWT_CSRF_HEADER_NAME and add JWT_ACCESS_CSRF_HEADER_NAME and JWT_REFRESH_CSRF_HEADER_NAME (refs #37)
• Add options to change the cookie paths for JWT_ACCESS_CSRF_COOKIE_NAME and JWT_REFRESH_CSRF_COOKIE_NAME via JWT_ACCESS_CSRF_COOKIE_PATH and JWT_ACCESS_CSRF_COOKIE_PATH (refs #33)
• Add option to not store csrf double submit values in addition cookies via JWT_CSRF_IN_COOKIES and add get_csrf_token(encoded_token) method so you could grab the CSRF double submit values out of a created token, and return them another way (for example, in the resulting JSON of a request). (refs #33)

• Adds option to use expires cookies instead of session cookies (#35)
• Properly deletes csrf cookies in the unset_jwt_cookies method

• Raises helpful error messages when attempting to use cookie methods without this extension being configured to use cookies (ref #31)

• Preserve CSRF errors when using headers and cookies together
• Allow only specified request types to need CSRF protection, when using cookies with CSRF protection enabled. Defaults to ['PUT', 'PATCH', 'POST, 'DELETE'], and can be change with the app.config['JWT_CSRF_METHODS'] option

• Fixes bug with using @user_identity_loader with refresh tokens (#27)

• Adds support for using JWTs in cookies and tokens at the same time (refs #26)

• Tested against python 3.6
• Adds ability to access full (raw) jwt in a protected endpoint (#22)