Configuration Options¶
You can change many options for how this extension works via
app.config[OPTION_NAME] = new_options
General Options:¶
|
Where to look for a JWT when processing a request. The
options are |
|
How long an access token should live before it expires. This
takes any value that can be safely added to a |
|
How long a refresh token should live before it expires. This
takes any value that can be safely added to a |
|
Which algorithm to sign the JWT with. See here
for the options. Defaults to |
|
Which algorithms are allowed to decode a JWT.
Defaults to a list with only the algorithm set in |
|
The secret key needed for symmetric based signing algorithms,
such as |
|
The public key needed for asymmetric based signing algorithms,
such as |
|
The private key needed for asymmetric based signing algorithms,
such as |
|
Claim in the tokens that is used as source of identity.
For interoperability, the JWT RFC recommends using |
|
Claim in the tokens that is used to store user claims.
Defaults to |
|
If user claims should be included in refresh tokens.
Defaults to |
|
The key of the error message in a JSON error response when using
the default error handlers.
Defaults to |
|
The audience or list of audiences you expect in a JWT when decoding it.
The |
|
Define the leeway part of the expiration time definition, which
means you can validate an expiration time which is in the past but
not very far. This leeway is used for nbf (“not before”) and exp
(“expiration time”).
Defaults to |
|
if set, define the iss (issuer) field claim. |
Header Options:¶
These are only applicable if JWT_TOKEN_LOCATION
is set to use headers.
|
What header to look for the JWT in a request. Defaults to |
|
What type of header the JWT is in. Defaults to |
Query String Options:¶
These are only applicable if JWT_TOKEN_LOCATION
is set to use query strings.
|
What query paramater name to look for a JWT in a request. Defaults to |
Json Body Options:¶
These are only applicable if JWT_TOKEN_LOCATION
is set to use json data.
|
Key to look for in the body of an application/json request. Defaults to |
|
Key to look for the refresh token in an application/json request. Defaults to |
Cross Site Request Forgery Options:¶
These are only applicable if JWT_TOKEN_LOCATION
is set to use cookies and
JWT_COOKIE_CSRF_PROTECT
is True.
|
The request types that will use CSRF protection. Defaults to
|
|
Name of the header that should contain the CSRF double submit value
for access tokens. Defaults to |
|
Name of the header that should contains the CSRF double submit value
for refresh tokens. Defaults to |
|
If we should store the CSRF double submit value in
another cookies when using |
|
Name of the CSRF access cookie. Defaults to |
|
Name of the CSRF refresh cookie. Defaults to |
|
Path for the CSRF access cookie. Defaults to |
|
Path of the CSRF refresh cookie. Defaults to |
|
When no CSRF token can be found in the header, check the form data. Defaults to
|
|
Name of the form field that should contain the CSRF double submit value for access
tokens when no header is present. Only applicable if |
|
Name of the form field that should contain the CSRF double submit value for refresh
tokens when no header is present. Only applicable if |
Blacklist Options:¶
|
Enable/disable token revoking. Defaults to |
|
What token types to check against the blacklist. The options are
|