Hi all, I'm working on integrating with Descope a...
# ask-a-descoper
s
Hi all, I'm working on integrating with Descope and have run into an issue that I'm sure has a simple answer and it has to do with the final step of session validation. As I understand it, by this point, the user has logged in, a cookie has dropped into their browser, and my system must make a backend call to validate that the session token is valid. That backend call is what's tripping me up, and please tell me if/where I'm confused. More info in the thread
I'm building a multi-tenet, role-based system, so I will need to know if the token is valid for the tenet and what the user access level is when they are in my system. I suppose by this point, I don't need to validate that the user is who they say they are. Anyway, I'm wondering how I would do that with the Python descope package? My current code looks like this: # get the jwt token session_token = auth_header.split(' ')[1] # validate with descope jwt_response = descope_client.validate_session(session_token=session_token) # Extract tenant information from the jwt_response tenants = jwt_response.get('tenants', []) # Loop through the tenants to retrieve the tenant ID and roles for tenant in tenants: tenant_id = tenant.get('id') roles = tenant.get('roles', []) And this is where I blank, because I'm confused about how I would identify which role they have and secure this role-based functionality access in my app. Any thoughts? I'm a bit of a security novice, so please bear with me 🙂
a
That’s a great progress, so basically now you have the user's tenant and roles. In your app, you should let the users access the tenant they belong too, and protect the relevant resources according to the user’s role/permissions. So let’s say you have a resource in your backend called “television”, and you want to limit the access to that resource by role “watcher”, you will need to write a code that only let users with the “watcher” role to access the “television” resource. The protection can be at the top level (router) and also in lower levels, such as when querying the db itself. You can also hide/show relevant part in your UI according to the user’s role/tenant, you can get them from the JWT at the client side as well.
@orange-belgium-27264 / @important-microphone-85224 can provide best practices on how to write such code in python (annotations, etc.)
s
@steep-keyboard-7095 are you using Django ? or any other py framework? Some python pointers: https://github.com/descope/python-sdk#session-validation

https://www.youtube.com/watch?v=ZX6VU8De3ioâ–ľ

s
I'm not, I'm just writing this in aws and flutter
o
Hi @steep-keyboard-7095 ! Are you building this with flet.dev? Are you using any python framework for the backend or just plain python?
The code you wrote above looks like a great start At that point you have the tenant and roles for the authenticated user and can start building the logic that decides what can that user do based on their role
s
Plain python
Ok, I think I understand what to do now. It seems I was right at the end and didn't even realize it! Thanks all!
o
You should consider a framework to help you move faster and provide lots of tools out of the box Flask is a great choice for plain REST API that keeps things simple, Django is a full stack app which might be an overkill if you're writing your front end somewhere else
s
How do these compare to things like just using AWS lambda functions and Dockerized containers?
o
You can still write with flask in lambda, it would just provide a framework that would help you with routing, request handling etc.
s
Got it, thank you!
i
Hi @steep-keyboard-7095 In addition to what Omer said please note that we also have a convenient functions in our sdk to validate session and check for roles/permissions, for example:
Copy code
jwt_response = descope_client.validate_and_refresh_session(session_token, refresh_token)
require_roles = ["role1", "role2"]
valid_roles = descope_client.validate_tenant_roles(jwt_response, tenant, require_roles)
if not valid_roles:
    print("Access denied")
    # return Flask 401 Response or raise exception
s
@important-microphone-85224 How do I get the refresh token?
s
@dazzling-oyster-96577 @salmon-night-88354 can you help here ?
i
There are two option for getting the refresh token and its depend on your configuration (see attached screenshot) and which “Token response method” you choose under the Project settings: 1. If you choose “Manage in cookies” the refresh token will be return as a value inside the “DSR” cookie (make sure the custom domain match the domain you are testing on) 2. If you choose “Manage in response body” you will get the refresh token in the jwt_response object (the dict that return after user logged in (based on the auth method you are using) and include the access token (“sessionJwt”) and refresh token (“refreshJwt”) You can take a look on the example here: https://github.com/descope/python-sdk/blob/main/samples/magiclink_sample_app.py - this example use the second option where refresh token return in response body. And you can also just use the descope_client.validate_session(..) function, the one with the refresh token will just auto refresh the access token once it expired Please let me know if you managed to get it work or you want to have a short zoom session (Ill be available in about two hours)
message has been deleted