https://supertokens.com/ logo
Join Discord
Powered by
Hey <@498057949541826571>, I'm using the supertoke...
# support-questions-legacy
h
Hey @rp_st, I'm using the supertokens-python fastapi SDK as the backend for my application. I have two services running on different ports: 8000 for the supertokens-auth-service and 8001 for the other backend service. Both services are on the same subdomain. In my backend services, I have an app-to-app API call (backend to backend) that doesn't involve the frontend. These API calls are authenticated and protected. The problem arises when I use cookie-based authentication for the API call and my access token has expired. In this case, I receive a 401 error response with a message to try refreshing the token. To handle this scenario, I can make another API call to the /auth/session/refresh endpoint from the backend itself if I receive a 401 refresh token error. This allows me to refresh the access token. However, I'm unsure if this approach will also refresh the access token at the frontend. If it doesn't, it could potentially create issues. I'm also wondering if there are alternative ways to achieve this. Is it possible to use header-based authentication instead of cookies?
r
hey. You can't make a call to the refresh endpoint from the backend. Since the refresh token is only stored on the frontend,.
h
so what is the alternate? How can we make app to app calls?
r
which service is queried from the frontend? the 8000 one of 8001 one?
h
In my scenario, there is no involvement of frontend. By app to app means I want one backend to make a call to another one. Both backends have the common supertokens-core
r
ohh i see
well yea.. then you need to store the refresh token on your backend and use that
h
Is there jwt and X509 certificate based auth scheme that you plan to add to supertokens ? Or is it already present ?
r
yea. We do issue JWTS
see our microservice auth guide
h
Thank you I am looking into it
Hey @rp_st from https://supertokens.com/docs/microservice_auth/jwt-verification/index#claim-verification I can conclude that microservice m1 makes an api call to m2 by sending the jwt token in authorization header. m2 makes an internal call to 
http://localhost:8000/auth/jwt/jwks.json
to get the rsa_key and this rsa_key is used to decode/verify the token . But somehow the /auth/jwt/jwks.json is not working . I don't know why? Is there something that I miss?
Here is my code >
Copy code
> jwks_uri = f"{api_domain}/auth/jwt/jwks.json"
> 
> def get_key(header):
>     print("jwks_uri",jwks_uri)
>     jwks_client = requests.get(jwks_uri).content
>     jwks_client = json.loads(jwks_client)
>     rsa_key = {}
>     for key in jwks_client['keys']:
>         if key['kid'] == header['kid']:
>             rsa_key = {
>                 'kty': key['kty'],
>                 'kid': key['kid'],
>                 'use': key['use'],
>                 'n': key['n'],
>                 'e': key['e']
>             }
>     return rsa_key
> 
> 
> @router.get("/microservice-auth-test")
> async def microservice_auth_test(request: Request):
>     authorization: Optional[str] = request.headers.get('authorization')
>     if authorization:
>         parts = authorization.split()
> 
>         if parts[0].lower() != 'bearer':
>             raise HTTPException(status_code=401, detail='Invalid token header')
>         elif len(parts) == 1:
>             raise HTTPException(status_code=401, detail='Token missing')
>         elif len(parts) > 2:
>             raise HTTPException(status_code=401, detail='Token contains spaces')
> 
>         jwt_token = parts[1]
>         print("Received jwt token", jwt_token )
>         headers = jwt.get_unverified_header(jwt_token)
>         print("unverified_header ",headers)
>         rsa_key = get_key(headers)
>         print("rsa_key ",rsa_key)
> 
>         try:
>             payload = jwt.decode(jwt_token, rsa_key, algorithms=['RS256'])
>             user_id = payload.get('userid')
>             return  {"userId from auth service: ",user_id}
>         except JWTError as e:
>             raise HTTPException(status_code=401, detail='Invalid token') from e
>     else:
>         raise HTTPException(status_code=401, detail='Token missing')
r
when you say not working, what do you mean? The API is returning a 404? Can you query the endpoint from your browser and see what it returns?
h
Oh found the issue Instead of just using synchronous requests I have to use asynchronous functions with httpx or any other asynchronous HTTP library to prevent blocking of the event loop. This synchronous request creates a looping issue. Thats why I couldn't able to get the reault of api.
r
right! okay
2 Views
PreviousNext
Powered by