Once you have a token generated and have your client using it to access protected resources, what you need on server side is the userid from the request, via request.authenticated_userid, and the auth policy already sets it as the same value than the sub. Then you just have to query your datastore to retrieve any info you need about the user. If you need roles or permissions you then need to use what pyramid provides you as you would do for any other pyramid app.
The token is just a claim so I wouldn't rely on its encoded information to provide access level to your app. Anything about the user could change at any moment, so the token won't be up to date and will cause you more problems than you would try to solve. On Wednesday, February 10, 2016 at 11:02:16 PM UTC-5, Krishnakant wrote: > > > > On Thursday 11 February 2016 02:45 AM, Paul Everitt wrote: > > > On Feb 10, 2016, at 4:05 PM, Jonathan Vanasco <[email protected] > <javascript:>> wrote: > > > > On Wednesday, February 10, 2016 at 10:27:33 AM UTC-5, Krishnakant wrote: >> >> >> Can I have the data be a dictionary inside the payload itself? >> I don't want tu use the sub or inside payload. >> > > No. If you look at the source, `payload` is a specifically structured > managed dictionary that contains bookkeeping information. > <https://github.com/wichert/pyramid_jwt/blob/master/src/pyramid_jwt/policy.py#L34-L43> > https://github.com/wichert/pyramid_jwt/blob/master/src/pyramid_jwt/policy.py#L34-L43 > > > IMO that payload shouldn’t contain very much. You’re going to get a token > which is going to be stored for some duration. Any information that goes in > there (e.g. first and last name) should be something that isn’t going to > change, for example, correcting a typo in the last name. Or, you might > change your mind about the payload structure and you then have to do > something to invalidate all the existing tokens and force a re-login. > > When I do JWT in Pyramid and Angular, I would do the authentication > request, get the response containing the token, and tie that to a JS > “promise” which immediately fetched the profile information separately. > > Hi paul, > Basically I hav a userid and orgcode which never changes. > It is retrived from the database after proper login. > So I expected that it will directly be a public part of the payload. > Do you think such information should be in the sub directory? > Happy hacking. > Krishnakant. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
